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Otey 

"SQL Server has been the clear mindshare 
leader in enterprise databases since SQL 
Server 7.0 delivered OLAP Services with no 
additional licensing costs back in 1998." 


Microsoft Ups the Ante with SQL Server Denali 

SQL Server has evolved from a relational database to an enterprise data platform 


A t this year's Professional Association for SQL Server 
(PASS) conference, Microsoft and numerous other 
industry experts are presenting a variety of sessions 
showcasing the latest release of SQL Server, code- 
named Denali. Expected to be released around the 
end of the year, Denali really ups the ante for what 
an enterprise relational database product delivers. 

According to Gartner Research, SQL Server 2008 R2 and SQL 
Server Denali are number two in the enterprise database market, 
as measured by total revenue. Gartner's 2010 survey of the rela¬ 
tional database market revealed that Oracle still holds the top spot 
with 44 percent of the market. Microsoft and SQL Server moved 
from third place to second place with 18.4 percent of the market. 
IBM is now in the third position with 13.3 percent of the relational 
database market. Although that might seem like a big separation 
between number one and number two, remember that Gartner's 
research is measured by revenue—not seats—and Oracle is much 
more expensive than SQL Server. Microsoft research indicates that 
SQL Server is first in terms of units sold. 

More important than sales figures is the fact that SQL Server has 
been the clear mindshare leader in enterprise databases since SQL 
Server 7.0 delivered OLAP Services as a part of the product, with no 
additional licensing costs, back in 1998. The path from those earlier 
releases to today's SQL Server has been marked by a number of 
significant innovations. First, Microsoft needed to deliver on the 
enterprise part of the relational database. Since those early days, 
SQL Server has evolved from a departmental relational database 
back in the SQL Server 6.5 days to the enterprise-ready data plat¬ 
form that it is today. Questions about SQL Server's suitability for 
enterprise scalability have been laid to rest for good since the SQL 
Server 2000 release almost 11 years ago. SQL Server's relational 
database enterprise scalability has been proven by thousands 
of organizations, not to mention many number one and top ten 
TPC-E, TPC-H, and TPC-E scores. 

Enterprise scalability laid the foundation that allowed SQL 
Server to compete head-to-head with Oracle and IBM, but it was 
the other innovations that made SQL Server the mindshare leader. 
Although other enterprise databases had business intelligence (BI) 
features available, all of those features were expensive add-ons 
(in some cases, very expensive). Adding BI to the base product 
was instrumental in enabling the entire BI market to grow from a 
niche segment to mainstream technology. Today's SQL Server 2008 


R2 and the upcoming SQL Server Denali release have so much 
additional functionality that the product has evolved beyond a 
relational database to an enterprise data platform. 

Although the foundation for SQL Server Denali is the relational 
database engine, that's really just the tip of the iceberg. SQL Server 
Denali also includes five other subsystems that each provide sig¬ 
nificant additional functionality beyond pure relational database 
capabilities. First, there's the BI engine that's delivered in the 
Analysis Services subsystem. Analysis Services is the successor 
to the older OLAP Services and it enables fast ad-hoc decision 
support queries. Next, there's the Integration Services subsystem. 
Integration Services is Microsoft's extraction, transformation, and 
loading (ETL) tool that can transfer and transform data loaded 
into both data warehouses and relational databases. Next, Report¬ 
ing Services is able to surface both relational OLTP data and BI 
OLAP data in a variety of formats that can be included in your 
applications and management dashboards. The combination of 
Analysis Services, Integration Services, and Reporting Services 
forms the core of Microsoft's BI platform. In addition, SQL Server 
2008 includes Master Data Management Services, which enables 
companies to create a single authoritative data source by inte¬ 
grating definitions from multiple disparate databases. To this, 
Denali will add Data Quality Services, a data cleaning subsystem 
designed to make sure enterprise data conforms to an organiza¬ 
tion's business rules. 

Other important features that the Denali release will include 
are the new AlwaysOn high-availability feature, which combines 
the best of Windows failover clustering and database mirroring; the 
new SQL Server Development Tools IDE, which provides a unified 
development experience for both relational and BI developers; the 
new columnar index feature, which can speed up data warehous¬ 
ing queries by up to lOOx; and the new Project Crescent, which is 
designed to enhance end-user data visualization. 

The upcoming SQL Server Denali release is no gamble. SQL 
Server might not be the market leader in enterprise database 
market revenue, but it's most definitely the leader in the features 
it brings to market. It provides more bang for the buck than any of 
the other enterprise-oriented relational databases. ^ 

InstantDoc ID 140298 

MICHAEL OTEY (motey@windowsitpro.com) is senior technical director 
for Windows IT Pro and SQL Server Magazine and author of Microsoft SQL Server 
2008 High Availability with Clustering & Database Mirroring (McGraw-Hill). 
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Thurrott 

"Yes, Android has other issues around OS 
version fragmentation and so on. But it's now highly 
unlikely—impossible, really—for Apple to try and 
block the sale of Android devices generally." 



HP Drops a Grenade and Google Purchases Patent 
Protection 


I generally like to cover a wide range of topics in this col¬ 
umn, but two blockbuster tech industry announcements 
dominated the headlines this summer and will have 
ramifications for years to come. So let's dive right into what 
can only be described as the most interesting year for tech 
news in a long while. 

HP Drops a Grenade in Room, Runs 

PC giant Hewlett-Packard (HP) made several blockbuster revela¬ 
tions in mid-August, and attached them, for some reason, to its 
otherwise decent quarterly financial results announcement. The 
firm said it would purchase corporate search software maker 
Autonomy for $10.3 billion, would stop selling its webOS-based 
smartphones and TouchPad tablet, and was examining whether 
to sell or spin off its PC business. HP, in other words, is following 
in the footsteps of IBM. 

Curiously, the webOS piece of the announcement got the most 
press. But the other two revelations are far more important. HP is 
attempting to do what IBM did before it, which is to reinvent itself 
as a purely corporate-focused provider of software and services. 

That HP would drop its PC business is, perhaps, the most 
shocking. At the time of the announcement, HP was the number 
one PC maker in the world, selling far more units per quarter than 
its closest rival, Dell. (According to IDC, HP controls 18 percent 
of the worldwide market for PCs, compared to 11 percent for 
number-two Dell.) 

So why the exit strategy? HP, like the old General Motors, is a big 
company that brings a lot of overhead to every physical product it 
sells. But the PC market is a low-end, cut-rate commodity market, 
except for Apple, which has nicely established itself as the only 
high-end PC maker that customers actually consider. And HP's 
strategy to play in Apple's territory has failed on two counts: Its 
expensive MacBook Pro knock-offs, the Envy line of PCs, have been 
ignored by consumers. And its attempt to copy the success of the 
iPhone and iPad via its blockbuster purchase of Palm a year ago 
has been even less successful: Smartphones based on Palm webOS 
fall into the "Other” category in smartphone market share reports 
and haven't dented the market in the slightest. Even Windows 
Phone looks like a powerhouse by comparison. 

Looking just at HP's PC business, there are heady revenues 
($40.7 billion for its previous fiscal year) but relatively tiny profits 
($2 billion for the same time frame). And while smaller PC makers 
like ASUS, Acer, and Samsung may be able to flourish in such a 


market, this just isn't HP's forte. One wonders if Dell, which today 
offers a similar mix of PCs and corporate services, is next. Though 
let's be honest here: A month ago, few people were wondering 
about such things. That the top PC maker would simply give up is 
nothing short of a bombshell. 

Which leads naturally to Microsoft. HP wasn't just Microsoft's 
biggest PC maker partner, it was also the software giant's closet 
companion, the one company that would follow wherever Micro¬ 
soft led. Anytime a Microsoft product came to market, HP was 
there with the corresponding hardware. It reads like a Who's-Who 
list of forgotten Microsoft products, from the Pocket PC and Win¬ 
dows Mobile to Media Center and the Tablet PC. It was corporate 
codependency as its most obvious. 

In the finest traditions of Monday morning quarterbacking, 
however, we should have seen this one coming. HP, of all compa¬ 
nies, purchased ailing Palm and promised to unleash its webOS 
platform not just on smartphones, but on tablets and, get this, even 
on its PCs. That's right: HP's plan was to deliver PCs to consumers 
and businesses that would dual-boot between Windows and Palm 
webOS, offering a choice, yes, but also a not-so-subtie shiv in the 
side of Microsoft's decades-long strategy. 

This plan seemed curious at the time, but it never came to 
fruition, seeming more fantastical than real. But we should now 
see HP's webOS experiment—failed along with the poor-selling 
webOS-based TouchPad tablet that no one seemed to want—as 
the wake-up call that it is. Here was Microsoft's biggest and closest 
partner buying its own platform so it could step out of Microsoft's 
shadow and provide complete, HP-based software and hardware 
solutions to customers. Clearly, the company had been planning 
something for a long time now, some seismic strategy shift. That it 
moved so quickly to kill off both webOS and its PC business—the 
TouchPad was barely on the market two months—is interesting. 
HP is clearly serious about remaking itself. 

For HP's customers, there are many questions and few answers. 
Both webOS and the HP PC business could be spun off, together or 
separately, or sold to other parties. Samsung allegedly was in talks to 
purchase the PC business earlier this year, for example. I expect HP, 
like IBM, to continue to support its PC products, and like IBM, to resell 
PCs from whatever company does walk away with this business. 

That said, HP's exit from the PC business and from the broader 
consumer market changes everything, not just for Microsoft, 
but for the many other companies that are trying to compete in 
these markets. For entrenched successes like Google, with its 
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Android-based products and services, and 
Apple, with iOS (iPhone, iPad), HP's exit is 
confirmation that their focus on "post-PC" 
products and services is the right one. For 
other big PC makers—Dell, and possibly 
Lenovo—HP's move is perhaps something 
they've considered themselves. And for the 
smaller PC players, HP is providing them 
with a chance to make new moves in this 
post-netbook PC market. 

Besides my GM comparison previously, 
the parallels with the car market are every¬ 
where. Just as today's Hyundais, Kias, and 
Smart Cars would have been inconceiv¬ 
able to American car buyers 30 years ago, 
the notion that the Acers, ASUSes, and 
Samsungs of the PC world could be major 
players today would have been inconceiv¬ 
able to buyers of the first PCs. The times 
they are a-changing. 

Google, Android, and Motorola 

Previous to the HP late-summer block¬ 
buster, the big tech news of the year 
involved escalating mobile industry pat¬ 
ent skirmishes, which seemed destined to 
drag Apple, Google, Microsoft, RIM, and 
other players into full-blown warfare. Then 
Google simply purchased handset maker 
Motorola Mobility, not for its phones but its 
patents. With that move, the mobile indus¬ 
try suddenly seemed destined for more of 
a quiet, Cold War-style, barely-disguised 
animosity between these companies. 

How we got to this point is convoluted, 
but the short version goes like this: With the 
tech industry's seemingly inevitable move 
from traditional computers to mobile devices 
such as smartphones and tablets, those who 
wish to play in this new market—platform 
makers like Apple, Google, and Microsoft, 
but also the hardware makers (HTC, LG, 
Samsung) that resell those platforms—are 
jockeying for position. And as Apple CEO 
Steve Jobs noted when he announced the 
first iPhone—"we've patented the hell out 
of it"—the prime bargaining chip that any 
of these companies has is often the patents 
that protect their inventions. 

These patents are used in different 
ways, but the most common is cross-licens¬ 
ing, where two companies each license the 
others' patents. When companies refuse to 
license another's patents, they are threat¬ 
ened then sued. Oddly, few of these cases 
have gone to court, and indeed, there's 
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a subset of the tech punditry that argues 
(without really knowing one way or the 
other) that many of these patents could 
ultimately be found invalid if they were 
tested in a legal setting. But such issues, 
as with a general call for patent reform, 
are beside the point: Patents are part of 
the business, so this is the environment in 
which these companies must compete. 

Enter Google: The online giant has a 
nearly unlimited supply of cash thanks to 
its successful advertising efforts, which 
feed off the company's near-monopoly 
search engine. To jumpstart its mobile 
efforts, Google elected to give away its 
Android mobile OS rather than charge a 
per-unit licensing fee as, say, Microsoft 
does. This strategy comes with various 
pros and cons—again, a topic for another 
discussion—but the result is not debatable: 
Google now owns 43 percent market share 
for smartphones, a heady leap over the 17 
percent it commanded a year ago. And its 
lead over Apple and the other smartphone 
makers is growing day by day. 

Some—including yours truly—have 
argued that Google is following in Micro¬ 
soft's antitrust footsteps by using its domi¬ 
nance in one market (in this case, search/ 
advertising) to dump another no-cost prod¬ 
uct (in this case, Android) in a new market. 
More to the point, however, Google never 
established a portfolio of patents related 
to its mobile industry products. Until this 
year, however, the other companies in the 
smartphone industry—the companies that 
would like to license their own technolo¬ 
gies to others, like Google—never really 
threatened Google with patent violation 
claims, even though Android is clearly 
infringing on numerous mobile patents. 

Instead, these companies went after the 
smaller companies—like HTC, Motorola, 
and Samsung—that sell Android-based 
phones. This makes sense from a strategic 
sense, since these smaller companies can't 
afford to be held up in court for years at a 
stretch, as Google could. But it also allowed 
Google to continue dumping Android and 
establishing itself, arguably unfairly, as the 
market leader. 

So this year, Google became the target. 
And when Apple, Microsoft, RIM, and 
other companies purchased a Nortel pat¬ 
ent portfolio for $4.5 billion, Google cried 
foul, complaining to the US government 
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that this cabal was allying against it and 
would use those patents as a club in order 
to get Google to pay. 

That was exactly their plan, of course. 
So in August, Google announced a block¬ 
buster purchase of its own: The company 
will purchase Motorola Mobility for $J2.5 
billion, picking up an Android hardware 
maker (and somewhat souring its relation¬ 
ship with other partners in the process). 
But Motorola is most interesting because 
of its 17,000 patents, many of which are 
related to the mobile industry. 

And with this purchase, Google finally 
has purchased the patent protection that 
Android requires. This gives Google the 
defense it needs when Apple, Microsoft, or 
other companies come complaining about 
Android's patent infringements. Because 
it's highly likely that these companies' 
mobile products are themselves infringing 
on Motorola's patents. And heck, why go to 
court when you can simply cross-license? 

What this means to potential customers 
of these devices is that a cloud that once 
loomed over Android is now removed. Yes, 
Android has other issues around OS version 
fragmentation and so on. But it's now highly 
unlikely—impossible, really—for Apple to try 
and block the sale of Android devices gener¬ 
ally. (This is a strategy Apple is currently 
using against Android licensee Samsung 
in Europe.) Which means, going forward, 
Android and iPhone will likely continue to 
carve up the top 60 percent of the market 
or so for themselves, leaving the rest of the 
market to also-rans like RIM BlackBerry and 
Microsoft/Nokia Windows Phone. 

I don't believe that Google intends to 
do anything interesting or exciting with 
Motorola's handset business or other hard¬ 
ware (the company also makes cable TV set 
top boxes). That would create too much 
of a strain on Google's partners and could 
lead to a diminished role for Android. Thus, 
I expect Google to spin or sell Motorola's 
hardware business as soon as possible. 
(Note that the Motorola sale, if approved by 
regulators, won't happen until 20 J2.) ▼ 
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WINDOWS POWER TOOLS 



Minasi 

"Get-ADUser is a strong tool 
that every AD administrator 
should start using." 


Find Users with Get-ADUser 

This handy Active Directory tool is part of the 76-cmdlet PowerShell collection 


O ver the 11 years that Active Directory (AD) has been 
around, we've seen a number of automation tools 
that can extract subsets of AD. The latest in that line— 
Get-ADUser—is a member of Windows Server 2008 
R2's 76-cmdlet PowerShell team. It's a strong tool that 
every AD administrator should start using, so it's the 
focus of this month's column. 

Essentially, all you'll need in order to run Server 2008 R2's AD 
cmdlets is at least one Windows 7 or Server 2008 R2-based mem¬ 
ber server (from which to issue the commands) and at least one 
Server 2008 R2-based domain controller (to receive and execute 
the commands). I say "essentially" because you can actually get a 
pre-Server 2008 R2 DC to understand PowerShell commands, but 
that's a long story for another day. 

To start finding user objects with Get-ADUser, open a Power- 
Shell window and import the AD module by typing import-module 
activedirectory, or its shortened version, ipmo ac*. If you've ever 
used a PowerShell cmdlet that starts with get- (e.g., get-process , get- 
service), you might imagine that you could simply type get-aduser, 
and then PowerShell would show you all the users, but that doesn't 
happen. Rather, PowerShell prompts you for some parameters. 

The parameter you'll use most commonly is -filter, which lets 
you insert criteria for picking out the users you want. The most 
basic one is 

get-aduser -filter * 

which tells PowerShell to retrieve every user account in your AD 
implementation. I highly recommend that you do not run that 
command on your production network unless it's very small or you 
don't mind overloading your local DC. I recommend getting pickier, 
as in this example that finds all users whose first names are Mark: 

get-aduser -f {GivenName -eq 'Mark'} 

If you run that command on a network that lacks anyone named 
Mark, PowerShell will return a prompt with no explanatory text. 
That example raises a number of concerns, however, so let me 
provide a few explanatory notes. 

First, notice that I typed -f, not -filter. PowerShell lets you 
abbreviate any parameter name as much as you want, as long as 
the abbreviation doesn't create ambiguity. The only parameter 
that starts with the letter/is -filter, which is why you can shorten it 
down to -f But if this cmdlet had a -finger parameter, for example, 


-/would be too ambiguous and I wouldn't be able to abbreviate it 
smaller than -fll. 

Second, what's with GivenName ? The names of AD user attri¬ 
butes come from the X.500 standard schema, and—for whatever 
reason—the folks who cooked up X.500 chose to use the more 
European phrase GivenName (rather than FirstName). If you've 
used ADSI Edit, you already know this, but what you might not 
know is that the folks who wrote the AD cmdlets took things further 
by offering multiple versions of some attributes. For example, the 
X.500 phrase for last name is sn, which is short for surname. (Don't 
ask me why the X.500 folks didn't use gn as the attribute for first 
name\) Anyway, you'll find that PowerShell cmdlets recognize both 
sn and surname as valid user attributes. You can, however, easily 
see a complete list of attributes that user Mark has, like so: 

get-aduser -f {name -eq 'Mark'} -properties *| get-member 

Save that command's output! It’s a useful listing of the layout of AD 
user objects and thus will simplify crafting queries in the future. 

Third, you've probably guessed that -eq is PowerShell-speak for 
is equal to. You can't use an equals sign in your queries, so -ffname 
= 'Mark'} won’t fly. You might be surprised, however, that the fol¬ 
lowing won't work either (or at least not the way you'd expect): 

get-aduser -f {name -eq 'M*'} 

PowerShell draws a distinction between comparisons that contain 
wildcards and those that don't. For an exact-match search, use -eq. 
For one incorporating a wildcard, use -like, as in 


get-aduser -f {name -like ’M*’} 


I've been comparing name to Mark with a capital letter, but I 
should mention that the AD PowerShell cmdlets are case-insen¬ 
sitive. PowerShell experts might know that you can, in general, 
specify case-sensitive comparisons by using the -ceq operator 
instead, but note that you can't do that with the AD cmdlets. 
There's no -ceq support there. 

Querying on a first name is, of course, a pretty simple query. 
Next month, I'll show you some more in-depth queries. 
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TOP 10 


Otey 

"Denali's support for Server Core enables leaner 
and more efficient SQL Server installations and 
reduces potential attack vectors." 

New Features in SQL Server Denali 

You'll get better tools, improved security features, and enhanced architecture 



he next release of Microsoft SQL Server, code-named 
Denali, is right around the corner. Microsoft has just 
released Denali CTP3, and the final release is expected 
by the end of the year. Denali continues SQL Server's 
climb into the enterprise with a number of important 
features. Here are the top 10 most significant new fea¬ 
tures in the SQL Server Denali release. 

SQL Server Developer Tools —Denali provides a new devel¬ 
opment environment, SQL Server Developer Tools, code- 
named Juneau. Juneau uses the Windows Presentation 
Foundation-based Visual Studio 2010 shell, and it unifies develop¬ 
ment for Business Intelligence Development Studio and Visual Stu¬ 
dio. Juneau aims to make the development environment consistent 
for both SQL Azure and the on-premises version of SQL Server. 

O Contained databases —Contained databases make it easy to 
move databases between different instances of SQL Server. 
With Denali, users don't need logins for the SQL Server 
instance because all authentications are handled by the contained 
database. Contained databases have no configuration dependencies 
on the instance of SQL Server that they're hosted on and can be 
moved between on-premises SQL Server instances and SQL Azure. 

O Project "Crescent" —The new data visualization tool, code- 
named Project "Crescent," is closely integrated with Share- 
Point 2010 and Silverlight. Crescent makes it easy for users 
to create great-looking data pages and dashboards by using data 
models that are built using PowerPivot or from tabular data from 
SQL Server Analysis Services. 

O Data Quality Services —Valid data is critical for making effec¬ 
tive decisions. Data Quality Services lets you set up a knowl¬ 
edge base that defines your metadata rules. You can then run 
Data Quality Services projects to apply those rules to data stored in 
a SQL Server data source. The Data Quality Services projects cleanse 
the data and allow viewing of good, invalid, and corrected rows. 

O User-defined server roles —An important security-related 
feature in Denali is the addition of user-defined severs roles. 
Earlier releases had fixed server roles that were predefined 
by Microsoft. These roles weren't as flexible or granular as some 
organizations wanted. The new user-defined server roles give 
organizations more control and customization ability over Denali's 
server roles. 


O Change data capture (CDC) for Oracle —CDC lets you 
keep large tables in sync by initially moving a snapshot to a 
target server, then moving just the captured changes 
between the databases. With the SQL Server 2008 release, CDC was 
limited to use in SQL Server. A big improvement in the Denali 
release is the addition of CDC for Oracle. 

O T-SQL enhancements —Two of the most important T-SQL 
enhancements in Denali are the addition of the Sequence 
object and the window functions. Sequence lets you tie 
unique row identifiers across multiple tables. The new window 
functions apply to sets of rows using the new OVER clause. 

O Columnar store index —The columnar store index, or col¬ 
umn-based query accelerator, uses the same high perfor¬ 
mance/high compression technology as PowerPivot, and it 
brings that technology into the database engine. Indexed data is 
stored according to the data of each column rather than by the 
rows, and only necessary columns are returned as query results for 
columnar indexes. Microsoft states this technology can provide up 
to 100 times improvement in query performance in some cases. 

O Support for Windows Server Core —The ability to run SQL 

Server on Windows Server Core has been missing from 
previous releases of SQL Server. Server Core is designed for 
infrastructure applications such as SQL Server that provide back¬ 
end services but don't really need a GUI on the same server. 
Denali's support for Server Core enables leaner and more efficient 
SQL Server installations and at the same time reduces potential 
attack vectors and the need for patching. 

O AlwaysOn —Without a doubt, the most important new 
feature in SQL Server Denali is the new SQL Server 
AlwaysOn feature. AlwaysOn is essentially the next evolu¬ 
tion of database mirroring. AlwaysOn supports up to four replicas. 
The data in the replicas can be queried, and backups can be per¬ 
formed from the replicas. Although it's still early, AlwaysOn seems 
more complicated to set up than database mirroring because it 
requires Windows Failover Clustering, but the advantages appear 
to make it well worth the extra effort. ^ 

InstantDoc ID 140115 


MICHAELOTEY (motey@windowsitpro.com) is senior technical director 
for Windows IT Pro and SQL Server Magazine and author of Microsoft SQL Server 
2008 High Availability with Clustering & Database Mirroring (McGraw-Hill). 




www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


OCTOBER 201 1 9 





See how this powerful - yet affordable - diff/merge tool from the 
developers of XMLSpy® can easily track down the differences in your 
files, folders, directories, and databases. 
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ENTERPRISE IDENTITY 


Deuby 

"Federation isn't a'nice to have'add-on. It will 
quickly become a mandatory high-availability 
service of your IT infrastructure." 



Federation at Microsoft 

How Microsoft IT runs one of the world's largest federation services 


I f you've been reading this column for a while, you're real¬ 
izing that sooner or later you'll need to implement some 
kind of federation service in your identity infrastructure. 
This service will allowyou to provide single sign-on (SSO) to 
cloud-based services—both on-premises and in the public 
cloud—for your enterprise users, using their enterprise cre¬ 
dentials. If you don't provide SSO, your users will be forced to find 
their own ways of using these cloud service providers, and probably 
not in a way you'd prefer. In this column, I'll review the production 
federation service of a well-known enterprise: Microsoft. 

To find out how Microsoft runs its federation service, I sat down 
with my friend and ex-Directory Services MVP, Laura Hunter, at the 
Cloud Identity Summit. Laura is an ex-MVP because she accepted 
a position as identity and access management architect for Micro¬ 
soft IT, specifically for federation services. Besides her principal 
responsibilities with the federation infrastructure, she speaks at 
various conferences to show IT pros how federation is managed 
in what's probably the largest production federation environment 
in the world. 

Federation's History at Microsoft 

Microsoft started "dogfooding" federation with the release of 
Active Directory Federation Services (AD FS) 1.0 at the time of 
Windows Server 2003 R2. The company's original reason for imple¬ 
menting AD FS wasn't to provide access to what we now think of as 
cloud applications (remember, this was around 2005), but to make 
it easier for its employees to access Microsoft's external provid¬ 
ers. The first federated trusts for the company were payroll, HR, 
employee benefits, and the Microsoft company store. Establishing 
these trusts made it possible for employees to use their enterprise 
Microsoft credentials to access the providers' resources. 

In 2010, Microsoft IT's upgrade of its federation service to AD 
FS 2.0 with its support of the widely used SAML protocol—coupled 
with the rise of cloud computing—resulted in an explosion of use 
for this service. Microsoft developers began creating new appli¬ 
cations, and re-architecting existing applications, to use claims- 
based authentication instead of traditional integrated Windows 
authentication. Laura estimates that Microsoft IT is currently 
managing approximately 900 relying party trusts, though not all 
of them are for production services. (There might be as many as 
six trusts needed to support a production service at each stage of 
its lifecycle, such as proof of concept, development, customer test, 
integration test, and so on.) 


Perhaps surprisingly, a large number of these applications are 
on premises within the Microsoft network. An important feature 
of claims-aware applications is that, to the applications, the tradi¬ 
tional corporate firewall (the "flaming brick wall," as security expert 
Gunnar Peterson puts it) doesn't exist because all the application's 
traffic goes over always-open ports 80 (HTTP) or 443 (HTTPS). As a 
result, claims-aware applications are very portable and are equally 
comfortable inside or outside that corporate firewall. 

Microsoft's 1AM Environment 

Figure 1 shows an overview of Microsoft IT's identity and access 
management (IAM) environment. It consists of three major areas: 
Microsoft's internal network, called CorpNet; its extranet (DMZ), 
for collaboration with partners; and cloud services. Let's look at 
CorpNet first. Naturally, Microsoft uses all the identity tools at its 
disposal, so it uses Forefront Identity Manager (FIM) to integrate 
the company's HR database into the product's metaverse. This 
metaverse is "upstream" of its AD environment and feeds select 
HR data into it. As you might suspect, a company like Microsoft 
with tens of thousands of developers has a pretty complicated AD 
configuration. 

It's important to remember than when the phrase Log on using 
your enterprise credentials is casually tossed around in federation 
scenarios, this authentication process is often a lot more compli¬ 
cated than it sounds. Many companies don't have a single domain, 
or forest, that contains everyone's user accounts. For a variety of 
reasons, user accounts might be scattered across multiple forests. 
Microsoft, for example, has eight different AD production forests 
comprising 18 production domains, any one of which might con¬ 
tain a user's corporate-sanctioned credentials. (Of course, there 
are many test and development forests with separate, isolated 
credentials.) Because it's not cost- or labor-intensive to provide 
separate federation services for each credential store, Microsoft 
has configured its major account forests to use forest trusts with 
selective authentication where required, to allow users to access 
resources—like federation—across the forests. Along with the 
multi-forest AD environment, IT's production AD FS service inter¬ 
acts with other claims sources (e.g., physical security), authoriza¬ 
tion services, and more than 2,500 IT-supported line-of-business 
(LOB) applications. 

Microsoft's extranet environment exists to allow Microsoft 
employees to sponsor credentials for partners and vendors for col¬ 
laboration purposes, and to allow these partners to access resources 
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Figure 1: Microsoft's 1AM environment 


such as SharePoint. An AD FS proxy is 
another key component of the extranet, 
which Ill review in more detail later. 

Microsoft's cloud computing environ¬ 
ment is an enormous and vitally important 
facet of Microsoft's computing story. This 
environment falls into three categories. 
Office 365—Microsoft's Software as a Ser¬ 
vice (SaaS) version of its most popular 
desktop and server applications—is used 
by Microsoft internally (in addition to the 
service's external customers) and uses the 
DirSync service to synchronize identities 
between corporate Office 365 users and 
the service. Windows Azure is Microsoft's 
Platform as a Service (PaaS) offering. PaaS 
provides a platform for developing SaaS 
applications. It was the first Microsoft 
cloud computing product for the simple 
reason that Microsoft's own developers 
needed a platform for creating SaaS ver¬ 
sions of the company's enterprise software. 
As you might expect, Windows Azure is 
very heavily used at Microsoft, and AD FS— 
along with the Windows Azure AppFabric 
Access Control Service (ACS)—facilitates 
this. Finally, Microsoft uses a wide variety 
of third-party cloud computing service pro¬ 
viders and partners (such as the previously 
mentioned payroll service). 

Federation Is Mission Critical 

Even though federation is a new service 
in the IT world, don't make the mistake 
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of thinking it isn't an important service. 
One way to think of a federation service is 
as a gateway between the Kerberos world 
and the claims-based world. Claims-based 
authentication uses claims wrapped in a 
digitally signed token. 

The standard for enterprise authentica¬ 
tion is AD, of course, and it uses Kerberos 
tickets. Making enterprise authentication 
work with claims-aware applications means 
that tickets must be transformed to tokens, 
and vice versa. This transformation is the 
main function of the Security Token Service 
(STS) component of a federation service 
such as AD FS. 

This means that as companies begin to 
use claims-aware applications both exter¬ 
nally and internally, the federation service 
quickly becomes part of the mission-criti¬ 
cal infrastructure, fust count the number of 
arrows leading to and from AD FS and its 
proxy service in Figure 1 to see how critical 
it is to Microsoft! 

The advice that Laura would give to 
companies that are planning a federation 
service (note: that should be most of you) 
is to take a look at your requirements, 
because those requirements will deter¬ 
mine what kind of federation architecture 
you need. She says, "At the end of the day, 
federation is pretty simple. It's about my 
people accessing your stuff, or your people 
accessing my stuff, or my people accessing 
a provider's stuff. Who are your customers? 

We're in IT with You 


Who are you trying to authenticate to what 
applications?" 

An enterprise that wants to authenticate 
its users to SaaS apps should probably 
have an on-premises federation service. An 
ISV that wants to make it easy for users to 
authenticate to a cloud-based application 
should probably host its federation service 
in the cloud, too. 

Laura likes to joke, "If you're having 
trouble setting up AD FS, it's either a prob¬ 
lem with PKI or a typo." On a more serious 
note, she recommends that you build your 
federation service with the end state in 
mind—in other words, plan for high avail¬ 
ability from the beginning. Based on my 
AD experience, I'd suggest that you build 
in lifecycle management for your federated 
trusts from the start, just like you should be 
doing lifecycle management for AD users, 
groups, and computers. 

Don't forget to also take the require¬ 
ments for an AD FS proxy into account. 
You'll want an AD FS proxy (an AD FS 
installation option) as part of your architec¬ 
ture in addition to the core AD FS service. 
Why do you need a proxy? Unlike the AD 
FS service itself, the proxy doesn't have to 
be joined to a domain; it's usually used in 
a DMZ to forward external authentication 
requests to the AD FS service. In Microsoft's 
case, it's used to allow employees outside 
the corporate network to use claims-aware 
applications. It also allows extranet part¬ 
ners to use some of these applications. Like 
the core AD FS service, it should also be 
configured for high availability. 

Federation isn't a "nice to have" add¬ 
on. It will quickly become a mandatory 
high-availability service of your IT infra¬ 
structure. Leading by example, Microsoft 
IT demonstrates federation's importance. 
To quote Microsoft Technical Fellow fohn 
Shewchuk, "Identity is the glue that binds 
federated IT together." And a federation 
service, whether it's maintained on prem¬ 
ises or hosted in the cloud, is the glue that 
binds your AD environment and claims- 
aware applications together to help create 
a federated IT. ^ 
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WHAT WOULD MICROSOFT SUPPORT DO? 


Edwards 

"One Microsoft enterprise customer 
was able to increase its stability to 
levels never achieved before." 



Give Microsoft's Scalable Networking Pack Another Look 

New best-practice recommendations surrounding Receive-Side Scaling and TCP 
Chimney Offload 


B ack in 2007, Windows Server 2003 SP2 introduced a 
set of networking performance features—collectively 
known as the Scalable Networking Pack (SNP)—that 
utilized hardware acceleration to process network 
packets and achieve higher throughput. Prior to 
SP2, these features were also available in an out- 
of-band update for SP1 as described in the Microsoft article "The 
Microsoft Windows Server 2003 Scalable Networking Pack release" 
(support.microsoft.com/kb/912222), but weren't widely deployed 
by customers. The SNP features are commonly known as Receive- 
Side Scaling (RSS), TCP Chimney Offload (sometimes called TOE), 
and Network Direct Memory Access (NetDMA). In this month's 
column, I'll discuss performance specifics around RSS and TOE. 

Historical Problems 

Because of issues in the OS components and issues in network card 
drivers or system BIOS, customers who deployed Server 2003 SP2 on 
hardware that could utilize any of the three features often had prob¬ 
lems. Many customers resolved problems by disabling the features on 
Server 2003, and Microsoft released an update in the article "An update 
to turn off default SNP features is available for Windows Server 2003- 
based and Small Business Server 2003-based computers" (support 
.microsoft.com/kb/948496) that would disable the three features. A 
later update, "A Scalable Networking Pack (SNP) hotfix rollup pack¬ 
age is available for Windows Server 2003" (support.microsoft.com/ 
kb/950224), allowed customers to enable the features if needed, 
but Microsoft's recommendation is to leave the features disabled 
unless there's a business need to enable them for higher network 
performance. In general, customers needing higher networking 
performance should utilize Windows Server 2008 or Server 2008 R2, 
due to the included next-generation TCP/IP stack. 

Fear in the IT Community 

Because of the problems with SNP in Server 2003 SP2, the IT com¬ 
munity quickly adopted the common practice to proactively and 
reactively disable these features. For Server 2003, this makes sense. 
But for Server 2008 and Server 2008 R2, disabling these features 
can often result in lower network performance and lower server 
capacity. These features are very stable on Server 2008 R2 (with or 
without SP1), and Server 2008 can achieve the same stability using 
SP2 and additional hotfix updates. Unfortunately, disabling them 
as one of the first steps to resolve networking issues is still a very 
common troubleshooting practice, with many problems not being 
resolved due to disabling the features. 


Many customers have also started to disable additional offload 
features that have been stable across many OS releases. These 
offloads are typically named TCP Checksum Offload, IP Checksum 
Offload, Large Send Offload, and UDP Checksum Offload. They 
are available to configure in network adapter advanced properties 
or configuration utilities. These features are not the same thing as 
the SNP features, but customers often confuse them because of 
the similar naming. Also, many other performance enhancements 
require these features. 

Receive-Side Scaling 

Prior to the introduction of SNP, receive-side network processing 
in multi-core computers was conventionally bottlenecked by the 
fact that a single CPU services all the interrupts from a network 
adapter. RSS solves this problem by enabling a network adapter 
to distribute its network-processing load across multiple CPUs in 
multi-core computers. 

By not having RSS enabled, you're potentially wasting capac¬ 
ity and reducing overall load and network transactions that 
each server can handle. This situation could result in higher 
costs, due to buying more hardware than you actually need, 
and due to additional infrastructure costs that come with the 
additional hardware. 

For RSS to provide scalability, it must be enabled in the OS, 
which has a global impact on all network adapters, and it also 
needs to be enabled in the individual network adapters through 
their advanced properties or configuration utilities. By default, in 
Server 2008 and Server 2008 R2, RSS is enabled. You can see if it's 
currently enabled or disabled by using the following command 
and looking at the resulting output: 

C:\Users\Admin>netsh interface tcp show global 
Querying active state... 

TCP Global Parameters 


Receive-Side Scaling State : enabled 

Chimney Offload State : automatic 

NetDMA State : enabled 

Direct Cache Acess (DCA) : disabled 

Receive Window Auto-Tuning Level : normal 

Add-On Congestion Control Provider : none 

ECN Capability : disabled 

RFC 1323 Timestamps : disabled 
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Figure 2: The difference after enabling RSS 


If RSS is disabled, you might see something 
like Figure 1. This picture is from the Per¬ 
formance tab in Task Manager, and you can 
see that Processor 0 is pegged at 100 percent 
CPU, while the rest of the processors are 
running at lower utilization. Seeing Proces¬ 
sor 0 at a much higher CPU utilization is a 
good indicator that RSS might be disabled 
on a server. After enabling RSS, you can 
see in Figure 2 the difference in processor 
utilization on the server as the CPU utiliza¬ 
tion for Processor 0 is now fairly close to the 
other processors right around 3:00 A.M. 

RSS also relies on the network adapter 
offloads (which I mentioned earlier) that 
are on by default, known as TCP Checksum 
Offload, IP Checksum Offload, Large Send 
Offload, and UDP Checksum Offload (for 
IPv4 and IPv6). So, if those have been dis¬ 
abled for a network adapter, RSS won't be 
used for that network adapter. 

Also, some network adapters have 
advanced settings to control the number of 
processors used for RSS and also the num¬ 
ber of RSS Queues. A common mistake is to 
set the RSS processor very low, compared 


with the number of processors on the 
server. Each adapter and manufacturer 
has its own recommendations for settings, 
so please see the vendor documentation to 
determine optimal settings based on your 
environment and workload. 

TCP Chimney Offload 

TCP Chimney Offload (often called TOE 
by manufacturers) transfers TCP traffic 
processing from a computer's CPU to a net¬ 
work adapter that supports TOE. Moving 
TCP processing from the CPU to the net¬ 
work adapter can free the CPU to perform 
more application-level functions. TOE can 
offload the processing for both TCP/IPv4 
and TCP/IPv6 connections if the network 
adapter supports it. 

Because of the overhead associated 
with moving TCP/IP processing to the net¬ 
work adapter, TOE offers the most benefit 
to applications that have long-lived con¬ 
nections and transfer a lot of data. Servers 
that perform long-lived connections—such 
as database replication, file serving, or per¬ 
forming backup functions—are examples 
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of computers that might benefit from hav¬ 
ing TOE enabled. Servers with short-lived 
connections, such as web servers or email 
servers, might not see any benefit from it. 

By default in Server 2008, TOE is dis¬ 
abled. In Server 2008 R2, TOE defaults 
to a new Automatic mode. You can see if 
it's currently set to automatic, enabled, or 
disabled by using the following command 
and looking at the resulting output line for 
Chimney Offload State: 

C:\Users\Admin>netsh interface tcp 
show global 

Querying active state... 

TCP Global Parameters 


Receive-Side Scaling State : enabled 

Chimney Offload State automatic 

NetDMA State : enabled 

Direct Cache Acess (DCA) : disabled 

Receive Window Auto-Tuning Level: normal 
Add-On Congestion Control Provider: none 
ECN Capability : disabled 

RFC 1323 Timestamps : disabled 

TOE also must be enabled in the network 
adapter advanced settings, which also lets 
you control which network adapters use it. 
Please see your network adapter documen¬ 
tation for more information. 

In automatic mode in Server 2008 R2, 
TOE considers offloading the processing 
for a connection only if the following cri¬ 
teria are met. This allows TCP Chimney to 
selectively offload connections, instead of 
all connections. 

• The connection is established through 
a lOGbps Ethernet adapter 

• The mean round-trip link latency is less 
than 20 milliseconds 

• At least 130KB of data has been 
exchanged over the connection 

You can look at TOE connection details 
with the Netsh command netsh inter¬ 
face tcp show chimneystats. If you notice 
extremely slow network performance 
that's greatly improved by disabling Chim¬ 
ney, please see the Microsoft article "The 
SACK option is always set to True' even if 
network adapter does not support SACK 
for offloaded connections in Windows 7 
or in Windows Server 2008 R2'' (support 
.microsoft.com/kb/2525390). 
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Table 1: RSS and TOE Recommendations for Each Server Version 
Windows Server 2008 


Service Pack 2 (required) 

Install hotfix for KB 979614 
Install hotfix for KB 967224 
Re-enable RSS in the OS and network adapters 

Update network adapter drivers to latest recommended manufacturer version 
Adjust RSS settings for network adapters based on manufacturer recommendations 
Update antivirus software to latest versions/engines and definitions 


Windows Server 2008 R2 


Service Pack 1 recommended 

If not on SP1, install hotfix for KB 977977 and 979612 

If on SP1, install hotfix for KB 2519736 

If using TCP Chimney Offload, install hotfix for KB 2525390 

Consider hotfix in KB 2511305 

Re-enable RSS in the OS and network adapters 

Update network adapter drivers to latest recommended manufacturer version 
Adjust RSS settings for network adapters based on manufacturer recommendations 
Update antivirus software to latest versions/engines and definitions 


Best-Practice Recommendations 

Through trial and error, we've established 
some general guidelines that have been 
adopted with great success in some customer 
deployments. For example, following our 


recommendations, one Microsoft enterprise 
customer was able to increase its Exchange 
Server capacity and stability to levels never 
achieved before. Table 1 provides a list ofwhat 
is recommended for each server version. 


For SNP features, we highly recommend 
leaving RSS enabled in the OS and network 
adapter settings. We recommend you leave 
TCP Chimney set at Automatic for Server 
2008 R2 and disabled for Server 2008. 

If you're using NIC Teaming, please use 
the latest version of the network card drivers 
and additional software required to create 
teams with your network cards, and follow 
the manufacturer recommendations for 
TCP Chimney. Older versions of some NIC 
Teaming software didn't work with RSS, but 
that isn't a problem with newer versions. 

We highly recommend that you leave 
all other offloads that can be configured in 
network adapter advanced settings at their 
default settings (normally Enabled), since 
disabling them might disable other perfor¬ 
mance features that depend on them. ^ 

InstantDoc ID 140350 

TOD EDWARDS (tod.edwards@microsoft 

.com) is a senior supportability program 
manager at Microsoft, focused on identifying and 
mitigating the top causes of networking-related 
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Windows Client and Server products. 
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An Old But Still Useful Technology 

NTFS is secure, reliable, and self-healing. It 
provides a solid foundation for data storage; 
however, NTFS can't compete with FAT in one 
area: speed. FAT has been always faster than 
NTFS. FAT has much less overhead because 
it's not secure, reliable, or self-healing. 

Systems administrators who 
love solid, reliable performance 
prefer to use NTFS instead 
of FAT. However, FAT can be 
invaluable in applications in 
which speed is the overriding 
consideration, such as in IP TV 
applications. In these applica¬ 
tions, TV signals from satellites are 
encoded to digital data.This data is typi¬ 
cally fed to Windows servers, which dis¬ 
tribute it to secondary servers. The secondary 
servers, in turn, pass the data to clients. 

Video data consists of many tiny files 
whose size is usually only several kilobytes. 
These tiny files transfer from disk to disk, 
so they're constantly saved and deleted. 
Because they're volatile (i.e., not permanently 
stored), data security, reliability, and the 
ability to self-heal aren't primary concerns. 
The main concern is performance: You must 
distribute the files as quickly as possible. 

In an IP TV project in which I took part, 
hard disk performance had created a 
bottleneck. Although we used speedy Serial 
Attached SCSI (SAS) disks, the hard disk per¬ 
formance degraded overtime and eventually 
crashed the application. When we observed 
the hard disk performance in Performance 
Monitor, the Avg. Disk Queue Length counter 
was constantly over 2, which meant the hard 
disk couldn't cope with the requests. To solve 
this problem, I made two suggestions: 

• Cancel the RAID configuration.There 
was a RAID 10 configuration on the disks. 


Although RAID configurations protect 
data, they can hurt performance. 

Use FAT32 instead of NTFS on disk 
partitions where the cached video data 
was stored. 

We decided to try these changes, so 
we used individual disks without 
RAID and used FAT32 to parti¬ 
tion them.The results turned 
out to be better than we had 
hoped. There is no hard disk 
bottleneck now. The Avg. Disk 
Queue Length counter has been 
constantly under 1 and often close 
to 0. No special action is 
required to control frag¬ 
mentation because the files are very 
small and cleaned out periodically. 

—Murat Yildirimoglu, MCSE, MCT 
InstantDoc ID 140109 

Legal, Free, Centrally Deployable 
Antivirus Solution 

Small businesses can use Microsoft Security 
Essentials (MSE) on up to 10 PCs for free. 
Companies that don't want to use some of 
their antivirus solution licenses for the PCs in 
their small test labs can also use this 
free software. Manually install¬ 
ing MSE on each PC is a viable 
option in a small environ¬ 
ment, but if you've already set 
up a domain, you can install it 
with minimal effort. 

1. Download the appropri¬ 
ate copy of MSE from www 
.microsoft.com/security_essentials. 

2. Right-click the executable and 
extract the files. If you don't have file compres¬ 
sion software, you can use the free 7-Zip utility 
(www.7-zip.org). 


3. Copy the extracted files to your 
server's shared folder. 

4. Download the free PsTools suite 
(technet.microsoft.com/en-us/sysinternals/ 
bb896649) and extract the files to a folder on 
your machine. 

With the preparation done, you can 
install MSE. Let's say that you intend to install 
it on a Windows XP machine named PCI and 
the executable is on Serverl under a shared 
folder named Software. The only thing you 
need to do is open a command prompt on 
your computer and execute the following 
command from the PsTools directory: 

Psexec.exe \\PC1 -S 
\\Serverl\Software\ 
msseful1instal1-XP-x86\setup.exe 

/S /runwgacheck /o 

(Although this command wraps here, you'd 
enter it all on one line.) The /S parameter 
forces the installer to perform a silent install. 
The /runwgacheck parameter forces the 
installer to perform a Windows Genuine 
Advantage check.The/o switch tells the 
installer not to perform a full scan of the PC at 
the end of the installation. If you want 
it to perform the full scan, you can 
omit the/o switch. 

After a few minutes, MSE 
will be installed on the remote 
PC.Typically, you have nothing 
else to do because the software 
performs automatic updates—but 
in a few cases, I found that 
a restart was required. 

After you install MSE on 
the rest of your computers, you'll have a legal, 
free, and effective antivirus solution. Keep in 
mind that this procedure isn't supported by 
Microsoft and might change in future MSE 
editions. Also keep in mind that you won't 
have a dashboard with which to centrally 
monitor and configure MSE. ^ 

—Apostolos Fotakelis, computer security engineer 

InstantDoc ID 140110 
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■ Virtual Appliances ■ Activation Actions 

■ Windows Authorization 


ANSWERS TO YOUR QUESTIONS 



Q: What's VMware vShield? 

A! VMware vShield is a collection of 
virtual appliances built for the VMware 
vSphere platform. Its virtual appliances 
provide security services for vSphere 
VMs, supporting activities such as firewall 
protection and anti-malware. They can 
also provide network edge and gateway 
services, including DHCP, VPN, NAT, port 
translation, and load balancing. 

Depending on which you've licensed, 
a vShield installation can have up to four 
different packages: vShield Zones, vShield 
Edge, vShield App, and vShield Endpoint. 

A fifth package, vShield Manager, man¬ 
ages the services of each. 

—Greg Shields 

InstantDoc ID 139896 

Q: In the Windows authorization 
process, what do the terms access 
token, security descriptor, and 
impersonation mean, and what's 
the relationship between these 
concepts? 

A! Windows authorization always 
deals with two entities, which Figure 1 
shows: a subject and an object that the 
subject wants to access. A subject can 


be a security principal, such as a user, 
computer, or application.The object can 
be file resources hosted on a file server, 
printer queues on a print server, Active 
Directory (AD) objects in the AD data¬ 
base on a Domain Controller (DC), or any 
other object that's kept in a Windows IT 
infrastructure. Authorization between the 
subject and the object is governed and 
enforced by a third entity that is referred 
to as the reference monitor. In Windows 
OSs, this third entity is called the Security 
Reference Monitor (SRM).The SRM is the 
authorization authority on a Windows box. 
It is a process that runs in the highly privi¬ 
leged OS kernel mode and that checks all 
access to resources located on a Windows 
system. 

Windows Authorization and the SRM 
deal with access to visible Windows 
objects, such as files, printers, registry keys, 
and AD objects, and with access to less 
visible objects, such as system processes 
and threads. Authorization also controls 
the ability to perform system-related 
tasks, such as changing the system time or 
shutting down the system. Microsoft calls 
these system-related tasks user rights. 

Under the hood, the Windows authori¬ 
zation model is based on the key concepts 
of access tokens, access masks, security 
descriptors, and impersonation. Figure 2 
shows how these concepts are brought 
together. 

In the figure, notice how, upon every 
object access, the SRM checks the access 
token and the access mask against an 
object's security descriptor. The access 
token and access mask are both linked to a 
process that impersonates a user. Here's a 
closer look at the terms involved: 
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Q: How can I let non¬ 
administrators perform 
activation actions on a client? 

A: To let non-admin users perform 
activation actions such as changing 
Multiple Activation or Key Manage¬ 
ment Service keys, performing a 
re-arm, or installing a license, do the 
following on the client: 

1. Start the registry editor 
(regedit.exe). 

2. Move to HKEY_LOCAL_ 

MACH IN E\SOFTWARE\Microsoft\ 
Windows NT\CurrentVersion\ 
SoftwareProtectionPlatform. 

3. If the DWORD value UserOpera- 
tions doesn't exist, create it. 

4. Double-click UserOperations 
and set it to 1. Click OK. 

5. Close the registry editor and 
reboot the client. 

—John Savill 

InstantDoc ID 139919 


• Impersonation means that a process 
acts on behalf of a user. 

• The access token contains a user's 
access control data such as group 
memberships and user rights. 

• The access mask tells the SRM what the 
process wants to do with the resource 
(for example, reading a file or writing to 
a file). At the end of the authorization 
decision making process, the SRM 
returns another access mask, called 
the "granted" access mask to inform 
the process of what it can do with the 
resource. 

• The security descriptor of an object tells 
the SRM who can do what with this 
particular object. 

In the Windows authorization model, a 
user never accesses a resource directly— 
there's always a server process that acts on 
behalf of a user. This process is known in 
Windows terminology as impersonation. 
When a process impersonates a user, it 
means that it runs in the security context 
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Figure 1: A subject and an object that the subject wants to access 



Figure 2: Access tokens, access masks, security descriptors, and impersonation 


of the user and that it uses the user's 
authorization attributes. 

To allow Windows to associate a 
user's authorization data (the user's 
rights and group memberships) with 
every process that's started by the user, 
Windows uses an object called the access 
token. Access tokens are linked to a 
user's logon session. They're generated 
on every machine that the user logs 
on to. An access token is always local 
to a machine and never travels across 
the network. The OS component that 
generates access tokens is the Local 
Security Authority (LSA). Besides the 
user's domain authorization data (stored 
in AD), an access token also contains the 
user's local authorization data. The latter 
is the authorization data that are stored 
in a system's local security database (the 
SAM): they include a user's local group 
memberships and local user rights. To 
look at the content of your Windows 
access token (including group member¬ 
ships and user rights), you can use the 
whoami tool with the /all switch. 


The main authorization attribute on 
the object side is called a security descrip¬ 
tor. A security descriptor tells the authori¬ 
zation system who can do what with the 
object. Every object that has a security 
descriptor linked to it is called a securable 
object. Securable objects can be shared 
between different users, and every user 
can have different authorization settings. 
Examples of securable objects include a 
file, a folder, a file system share, a printer, 
a registry key, an AD object, and a service. 
The security descriptor of a file system 
object is stored in the NTFS file system. 

The security descriptor of an AD object is 
stored in the object's nTSecurityDescriptor 
attribute. Note that the nTSecurityDescrip¬ 
tor attribute is also replicated to the Global 
Catalog, which ensures that access to AD 
objects will be secured even if the object is 
replicated outside its domain boundary to 
GCs in other domains. 

Every object's security descriptor con¬ 
tains a set of Access Control Lists (ACLs). 

An ACL is composed of multiple Access 
Control Entries (ACEs)—an ACE is also 


referred to as a permission. An ACE links 
a security identity (SID) to an access right 
(for example, read, write, delete, execute). 
Typical examples of permissions are "Joe 
can read the monthly expense claim 
report," or "Alice can print on the human 
resource department printer." In a security 
descriptor, an access right is represented 
using a hexadecimal value called the 
access mask. 

Every security descriptor contains two 
types of ACLs. They're called discretionary 
ACLs and system ACLs. 

• Discretionary ACLs (DACLs) contain ACEs 
that are set by the owner of an object. 
They are called discretionary because 
their content is set at the object owner's 
discretion. Ownership is a key concept in 
the Windows security model. It's a very 
powerful concept because the owner 

of an object is always granted the right 
to manage the object's permissions. By 
default, the object owner is the Windows 
user account that created the object. In 
the case in which a domain administrator 
or a member of the local administrators 
group creates an object, by default 
the Domain Admins or Administrators 
groups become the object owner. To 
look at an object's discretionary ACLs 
from the Windows GUI, you typically use 
the ACL editor, which you can access 
from the Security tab in an object's 
properties. To look at the DACLs of a 
file system object from the command 
prompt, you can use the cacls tool. 

• System ACLs (SACLs) contain an 
object's auditing settings and are 
set by an administrator. They're non¬ 
discretionary—they're not related in any 
way to the owner of an object. To look at 
an object's SACL from the Windows GUI, 
you use the ACL editor. 

In addition to the DACLs and SACLs, an 
object's security descriptor also contains 
two other fields. They are as follows: 

• The Owner SID field, which holds the SID 
of the owner of the object. 

• The Primary group SID field, which 

holds the SID of the object owner's 
primary group that is used for Posix and 
Macintosh access control management 
compatibility. ^ 

—Jan De Clercq 
InstantDoc ID 139906 
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I n the past 2 years, we've heard a lot about significant attacks against cloud service providers, 
security companies, defense industry manufacturers, and national research laboratories. The 
attacks against these particular companies might have gone largely unnoticed in the noise of 
the onslaught of attacks against companies of all sizes and in all industry sectors, except for 
one thing—the unique nature of the attacks and the term used to describe them: the Advanced 
Persistent Threat (APT). McAfee recently release a paper that indicates that some of these 
attacks might be related and that they've been ongoing as part of a larger operation for some time. 
McAfee dubbed the attacks Operation Shady RAT (Remote Access Tool—for more details, see the 
McAfee white paper at www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf). 
There's a lot of confusion about what APT means, as well as whether every company connected to the 
Internet needs to be concerned about APT. Let's take a detailed look at what APT really means and 
what you can do to defend yourself against APT attacks. 


Learn best 
practices to 
defend your 
organization 

by John Howie 


Origin and Meaning 

The source of the term APT is debatable, but many people believe it was first publicly used in 2006, 
by the US Air Force, to conduct briefings with people who didn't have a security clearance. The term 
was intended to be used as an unclassified code word for both the source and style of attacks against 
US interests. The term wasn't chosen lightly, and each word has specific, relevant meaning. 

• Advanced—The source of the attack is a well-funded, well-resourced entity with sufficient 
computing power and educated personnel at its disposal able to conduct the attack. The 
individuals behind the attack are usually highly skilled and trained in the art of computer 
intrusion; they aren't your typical script kiddies. 

• Persistent—The source of the attack is patient, has a particular goal in mind, and is willing to 
spend considerable effort in achieving that goal. If one avenue of attack is unsuccessful, another 
avenue will be attempted. Unlike conventional attacks, the target is carefully selected and the 
attack might go on for months or even longer until the goal is achieved. 

• Threat—The source of the attack is a recognized threat to US interests. The attacker is a nation¬ 
state backed group of individuals either working for or under the direction of a foreign nation. 

The term is believed to have first been used to describe attackers at universities and military 
schools in the People's Republic of China (PRC). 


Since the term APT was introduced, it has been used to describe many attacks that have surfaced 
in the press, including attacks that aren't truly characteristic of the original meaning of APT. In fact, the 
term APT has devolved largely through misuse to the point that the threat component of the term can be 
applied to any adversary who is a threat to the victim's interests. This is a source of confusion to many. 
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■ APT PROTECTION 


Unfortunately, the term APT is now creep¬ 
ing into marketing literature, as companies 
try to sell products and services through 
scare tactics. Even worse, the marketing lit¬ 
erature often refers to existing products and 
services that offer no new features designed 
specifically to defeat an APT. 

Unique Characteristics of 
APT Attacks 

The meaning behind the term APT pro¬ 
vides insight into why APT attacks are 
unique. In addition to being incredibly 
well-resourced, directed at a specific tar¬ 
get, and carried out in a patient manner, 
APT attacks are conducted very differently 
from the average hacker or cybercriminal 
attack. 

Most hackers probe systems and net¬ 
works, looking for weaknesses; upon find¬ 
ing a vulnerability, they try to exploit it. 
Typically, the end goal is to access data 
such as credit card information, user- 
names and passwords, or other personal 
data that can be marketed and sold in 
the underground cybercrime economy. 
Hackers also attempt to crack applica¬ 
tions using techniques such as SQL injec¬ 
tion (SQLi) to obtain access to databases 
behind web applications. Another com¬ 
mon attack might involve cross-site script¬ 
ing (XSS), which can be used to run 
malicious JavaScript applications in your 
browser or gain access to cookies or other 
data that might include usernames and 
passwords, without you being aware of 
what's going on. After attackers obtain 
data, they typically end the attack, some¬ 
times after installing software that allows 
them future access to data. 

An APT can use any of these individual 
attacks but more likely will use all of these 
attacks together, in combination with other 
attacks—such as spear-phishing, in which 
individuals are targeted and tricked into 
running malicious software or revealing 
their credentials to sensitive systems. 

To fully understand how an APT works, 
it's useful to study a well-documented 
attack—and there are several we could 
discuss. Google, a major provider of cloud 
services, publicly disclosed its 2010 attack, 
dubbed Operation Aurora by McAfee, and 
worked closely with customers and other 
companies that it believed might also 
have been compromised, as it discovered 
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evidence in its investigation. It's suspected 
that some of Google's employees were 
friended using a popular IM product. The 
APT friending the victims had conducted 
extensive research about them, using 
search tools, their pages on social media 
websites, blog entries, and so on. The 
wealth of information posted by the victims 
helped identify them as targets, and it gave 
the APT a detailed profile of victims so the 
APT could pretend to have similar interests 
or even to be someone the victim met, went 
to school with, or worked with in the past. 
After the victims were ensnared, the APT 
sent them links to websites under the APT's 
control; these sites contained malware that 
was downloaded to the victims' machines 
and exploited an Internet Explorer (IE) 6.0 
zero-day vulnerability. After the victims' 
machines were under the APT's control, 
the APT installed spyware designed to 
capture keystrokes as the victims logged 
on to their employers' systems and net¬ 
works. With credentials granting access to 
Google's internal infrastructure, the APT 
probed for weaknesses in line-of-business 
(LOB) applications and other software, 
attempting to elevate the level of access. 
At each point, the APT installed more 
malware or configured the compromised 
systems to act as launch points for further 
attacks—which is often called pivoting. 
Eventually, the APT compromised the core 
systems it was targeting and was able to 
access the desired data—which in this case 
included the mailboxes of dissidents and 
human rights activists who were crucial 
to the regime on whose behalf the APT 
was working. Data collected in the attack 
was exfiltrated from Google via a server 
under the APT's control at another service 
provider. 

In another recent attack, the victim was 
RSA, the manufacturer of popular two- 
factor authentication systems. The APT 
targeted RSA employees with an email 
that contained an Excel attachment, with 
embedded content that exploited a vulner¬ 
ability in a third-party media software pack¬ 
age (there was no vulnerability in Excel). 
When the victims opened the attachment, 
their machines were compromised and 
the APT proceeded to install spyware, log 
on to other systems, and pivot to other 
systems on the network until the target 
was reached. As a direct consequence, 
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RSA had to go to great expense to assure its 
customers that their use of the company's 
product was safe (and for customers who 
follow RSA's published guidelines, it's very 
safe). RSA issued replacement two-factor 
authentication hardware tokens to cus¬ 
tomers upon request, even if not truly 
required. Using the information obtained 
in this attack, the APT has since gone on 
to attack defense contractors who used the 
manufacturer's two-factor authentication 
system, such as Lockheed Martin. The 
APT has successfully compromised other 
companies' systems and networks, fueling 
speculation that the initial attack against 
RSA was simply a means to an end. 

Although not every organization will 
become a target for an APT, the real con¬ 
cern among security professionals is that 
the tools and techniques employed by 
APTs will eventually make their way into 
the hands of cybercriminals and other 
hackers. If this happens, very sophisticated 
attacks will be carried out against any 
organization that has something of value to 
the attacker—whether credit card or other 
financial information, trade secrets, and 
so on. Attacks might also be carried out 
as a form of cyber-activism, also known as 
hacktivism. 

Defending Against APT-Style 
Attacks 

Commonalities exist in the APT attacks 
that I discussed in the previous section. 
First, the attacks began with the selection 
of specific targets who were friended and 
sent instant messages with URLs to mali¬ 
cious websites or who received emails with 
attachments containing malware. The APT 
compromised victims' machines by exploit¬ 
ing vulnerabilities in older and unpatched 
software. In the case of the Aurora attack, 
it's also likely that one or more of the vic¬ 
tims logged on using elevated privileges, 
providing the APT with credentials that 
afforded more access than an ordinary user 
would have. 

The lessons learned from these attacks 
show that social engineering plays a big 
part in the initial phases, with attackers 
studying their potential victims carefully 
and identifying whom to target. Organiza¬ 
tions can reduce the likelihood that their 
employees will be targeted by creating 
and enforcing a social media policy that 


www.windowsitpro.com 



Powerful. 

Intelligent 


unbridled innovation with the 
power of convergence. 


HP Converged Infra structure ignites what's next with HP ProLiant servers. 

Get ready for a breakthrough in the way computing serves your business. With RQ! 
in as little as 2 months’ HP ProLiant DL38Q G7 servers and FlexFabric Converged 
Networking enabled HP ProLiant BL460c servers powered by the Intel ' Xeon * 
processor 5600 series offer a dramatic upgrade over your old infrastructure. 

By utilizing new breakthroughs in management efficiency, youll be able to maximize 
productivity and savings while you accelerate the pace of innovation. 


Scan this GR code with your mobile device to learn how 
HP Insight Control can help you turbocharge productivity 
with the white paper Gaining Business Value and ROI 
with HP Insight Control Management Software- f or visit 

hp.com/go/turbocharge20 


HP ProLiant BL46Gc G7 server 

* Two six-core Intel® Xeon 1 processors 5600 series (2,53GHz) installed 

* 16GB of memory; expandable up to 384GB of memory 

* Smart Array Controller P4l0i 

* One integrated NC553i Dual Port 10Gb FlexFabric Converged 
Network Adapter 

* Up to two HP hot plug small form factor SAS, SATA, or Solid State Drives 

$4,199 {Save $677) 

Lease for just % 102/fTiio/ 

SEMI (PN: 630442 SOI) 


HP ProLiant DL380 G7 server 

* One quad-core Intel' Xeon' processor 5600 series (2.40GHz) 

* 6GB of memory; expandable up to 384GB of memory 

* HP Smart Array P4l0i Controller with 512MB Flash Backed Write 
Cache installed 

* Up to eight HP hot plug small form factor SAS or SATA drives 

$2,674 (Save $542) 

Lease for jusl S 65/mo/ 

KW (PN: 605877-005} 


* Based on HP Internal tests comparing HP ProLiant DL3B0 G4 single-core 
servers lo HP ProLiant G7 quod-core servers powered by the IrleP Xeon' 
processor 5600 series. 

Prices subject to terms and conditions. For further details, visit 
hp.com/go/lurbocharge20 

© Copyright 2011 Hewlett-Packard Development Company, LF. The information 
containea herein is subject to change without notice. The only warranties 
for HP products ond services are sel lorlh in the express warranty statements 
accompanying such products and services. Nothing herein should be 
construed as constituting on additional warranty, HP shall not be liable 
for technical or editorial errors or omissions contained herein, I 

Intel, the Intel logo, Xeon, and Xeon Inside are trademarks or a ■ 

registered trademarks of Intel Corporation in the U.S. and/or I / 

other countries. if 1 


\ . 

M 


JA j V \ 







■ APT PROTECTION 


prohibits employees from discussing their 
employer or providing details about their 
job on sites such as Facebook or in non¬ 
company blogs. The less information that 
an attacker has about potential victims, 
the less successful social engineering will 
be against those victims. Organizations 
can also prohibit the use of company- 
owned computers to visit social media 
websites or to run unsanctioned IM prod¬ 
ucts. Although this approach might be very 
unpopular among employees, many would 
probably be content to visit social media 
websites and conduct IM chats from their 
smartphones and tablets instead. Use of 
a proxy server or egress filter on a firewall 
makes it trivially easy to technically imple¬ 
ment such a policy for users connected 
to a corporate network. For remote and 
mobile users, technologies such as Micro¬ 
soft DirectAccess can be used to route all 
traffic through the corporate network and 
out through approved proxy servers and 
firewalls where policy can be implemented 
and enforced. 

The next step organizations of all sizes 
can take to reduce the likelihood that 
they'll suffer a successful APT-style attack is 
to employ malware filters on email systems 
and proxy servers and to configure corpo¬ 
rate IM systems to prohibit the delivery of 
messages with URLs in them. An example 
of an email filter is Microsoft Forefront 
Online Protection for Exchange (FOPE), 
which scans email messages before they're 
delivered to your on-premises or cloud- 
based email system and catches malicious 
attachments and other undesirable con¬ 
tent such as spam and phishing emails. 
In addition to being a more than capable 
firewall, Microsoft Forefront Threat Man¬ 
agement Gateway (TMG) 2010 can be 
used to protect employees from malicious 
websites by blocking access to known 
malicious sites and by inspecting web 
content for malware. IE 9.0 also con¬ 
tains a feature called SmartScreen, which 
anonymously checks the URLs of websites 
against a centralized list of known bad 
websites and warns users if they attempt 
to visit one. SmartScreen also inspects the 
content on a visited web page, looking for 
characteristics of malware and other mali¬ 
cious content. Making IE 9.0 the default 
web browser in your organization will help 
protect you. 
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Every organization should have a secu¬ 
rity education and awareness function 
in place to teach employees the basics of 
information security, the organization's 
policies, how to detect and report suspi¬ 
cious emails and websites, and what to do 
when employees suspect that something 
is wrong. Small organizations won't have 
the resources to create and run such a 
program or develop their own training 
materials. For such organizations, I recom¬ 
mend resources such as ENISA's Awareness 
Raising program (enisa.europa.eu), SANS 
(www.sans.org), the National Institute of 
Standards and Technology's (NIST's) Com¬ 
puter Security Resource Center (csrc.nist 
.gov), and Microsoft's security awareness 
materials (technet.microsoft.com/en-us/ 
security/cc165442). 

If an attacker successfully sends an 
email with a malicious attachment or tricks 
a victim into visiting a malicious website, 
the malware used will likely try to exploit a 

Every organization 
should have a 
security education 
and awareness 
function in place. 

vulnerability in popular software for which 
an update already exists. In the case of the 
Aurora attack, the zero-day exploit used 
was present in IE 6.0 but not in later ver¬ 
sions of IE. 

Be sure to regularly update all the 
software used in your organization and to 
use the latest versions whenever possible. 
Microsoft Update can be configured to 
check frequently for, as well as download 
and install, updates for all supported ver¬ 
sions of Windows, servers such as Micro¬ 
soft SQL Server or Exchange Server, and 
applications such as Microsoft Office and 
Silverlight. You can also use a centralized 
system such as Windows Server Update 
Services (WSUS) 3.0 SP2, which is free and 
can be used to run reports to catch sys¬ 
tems that aren't updating. For third-party 
applications, make sure you understand 
how to check for updates and apply them. 
Many, such as Adobe Acrobat Reader and 

We're in IT with You 


Flash, as well as Oracle's Java, come with 
an updater or feature to regularly check for 
updates. Make sure the updater is config¬ 
ured to run. 

You should run 64-bit versions of OSs 
and applications if possible, because most 
malware is still 32-bit software and often 
won't execute as intended on 64-bit sys¬ 
tems, if at all. In addition, 64-bit software 
typically takes advantage of features to help 
protect and defend against malware—these 
features aren't available in 32-bit software 
(e.g., signed drivers that prevent malware 
from easily loading itself into the Windows 
kernel). Later versions of Windows (i.e., 
Windows Server 2008, Windows Vista and 
later) support Address Space Layout Ran¬ 
domization (ASLR), which helps prevent 
malware from exploiting a vulnerability that 
resides at known memory locations. Data 
execution prevention (DEP—introduced 
in Windows Server 2003 and Windows XP) 
can prevent certain vulnerabilities that 
exploit heap and stack overflows, such as 
buffer overruns. Windows 7 and Office 
2010 both have 64-bit versions available. 

You should also consider instituting a 
policy that prohibits the installation and 
use of non-approved software in your orga¬ 
nization, and you should regularly audit 
systems to make sure the policy is being 
followed. Non-approved software is often 
not updated by end users and might con¬ 
tain vulnerabilities that can be exploited. 
Products such as Microsoft System Center 
Configuration Manager (SCCM) can collect 
information about installed applications on 
end users' systems. Increasingly, attackers 
use several different types of malware, hop¬ 
ing to find one vulnerable piece of software. 
In addition, the software packages that are 
typically targeted are vulnerable versions 
of popular programs that often have no 
business use—such as consumer-oriented 
IM products, video calling software, and so 
on. One way to prevent users from install¬ 
ing non-approved software is to remove 
their administrator-level rights. Most mod¬ 
ern application commercial off-the-shelf 
(COTS) software no longer requires the 
user to run it as a local administrator. 
Moreover, newer software is typically more 
secure and has fewer vulnerabilities than 
older versions. 

In the event that an attacker can com¬ 
promise your employees' systems, install 
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spyware, and gain credentials, you can 
minimize the impact by ensuring that users 
don't have administrative-level access to 
their computers. You should also imple¬ 
ment a policy through Group Policy, or a 
similar mechanism, that forces users to 
change their passwords regularly. Another 
best practice is to follow the principle of 
least privilege and to use security mecha¬ 
nisms such as discretionary ACLs (DACLs) 
to restrict access on a need-to-know basis 
to folders and files, shares, websites, and 
other locations that might contain sensi¬ 
tive data. Database servers such as SQL 
Server can be configured to restrict access 
to databases, tables, and columns to only 
those users who have a need to access 
the data, and database encryption can be 
used to further enhance the protection of 
sensitive data. 

Employees who need elevated access 
to systems and networks, such as sys¬ 
tems administrators, should have separate 
credentials that they use when perform¬ 
ing duties that require elevated access— 
and they shouldn't browse the web, read 
email, use IM, or use any other type of 
software that isn't required to perform 
their duties when logged on with their 
elevated credentials. When logging on 
to desktop and laptop systems, systems 
administrators should use accounts that 
are members of the local Administrators 
group but that aren't members of the AD 
administrators groups—these include the 
local Administrators group on domain 
controllers (DCs), as well as the groups 
Schema Admins, Enterprise Admins, and 
Domain Admins. Ideally, a unique local 
administrator account with a unique pass¬ 
word will exist for each desktop or laptop 
system, but this can be difficult to manage 
without third-party software. 

TMG can be configured to deny 
accounts with elevated access the ability to 
browse external websites, use IM software, 
and so on. It's also possible to use Software 
Restriction Policies (SRP) in Windows to 
prevent users logged on with elevated cre¬ 
dentials from running software such as IE, 
Microsoft Lync, or Outlook. 

Another step that you can take to defend 
yourself against attacks is to install a com¬ 
mercial antivirus product. There are many 
such products on the market today, includ¬ 
ing Microsoft Forefront Endpoint Protection 
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and Microsoft Security Essentials. Security 
Essentials is free for small businesses with 
up to 10 PCs. Even if an antivirus product 
doesn't initially detect malware used in an 
attack, it will most likely detect it sometime 
later, as the vendor updates the signatures 
and detection capabilities to include new 
malware. Upon detecting malware, you can 
then investigate what the malware is and 
whether your systems and networks have 
been compromised. 

Next, consider a technique called secure 
network segmentation. Many corporate 
networks are flat, and a user on one part 
of the network can see a system anywhere 
else on the network, even if the user can't 
authenticate to it or isn't authorized to 
access it. By segmenting your network, you 
restrict network-level access through the 
use of firewalls, routers, and other Layer 
3 (L3) devices so that if an attacker pen¬ 
etrates one part of your network, he or she 
is still hampered in reaching the actual tar¬ 
get. Segmentation works best if you identify 
your most sensitive environments and 
restrict access to them. In extreme cases, 

You should 
implement a policy 
that forces users 
to change their 
passwords regularly. 

you might consider logically separating a 
production network that runs servers and 
POS or other transaction systems from your 
corporate network by creating a separate 
forest and issuing credentials to only those 
users who need access to the production 
network. 

Lastly, if you have a wireless LAN 
(WLAN), I strongly urge you to consider 
configuring it with enterprise-class Wi-Fi 
Protected Access 2 (WPA2). This means 
using Extensible Authentication Protocol- 
Transport Layer Security (EAP-TLS) and 
configuring it so that every user logs on 
with a unique certificate or set of creden¬ 
tials. If you run Active Directory (AD), 
you can configure the Network Policy 
Server (NPS) role in Server 2008 to act 
as a Remote Authentication Dial-In User 
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Service (RADIUS) server to your WLAN 
Access Points (APs) or wireless controller 
and authenticate users against their AD- 
based username and password. You can 
also set policies that restrict when and 
where users can connect to the WLAN, 
including who can connect to the WLAN. 
If you allow guest access to your WLAN for 
vendors, contractors, and business guests, 
such as partners and customers, I recom¬ 
mend that you create a guest WLAN that's 
isolated from your corporate network. 
Most modern WLAN APs and controllers 
let you create guest WLANs with a unique 
SSID, logically separated from your corpo¬ 
rate network, that you can connect directly 
to your firewall and the Internet. Although 
WLANs haven't figured prominently in 
recent descriptions of APT attacks, they're 
still an easy way into many corporate 
networks and can provide access from the 
parking lot outside your office to a distance 
of several hundred feet, in certain circum¬ 
stances and with the right equipment. 

Use Protection 

Not every organization will be a target 
for an APT, but the methods and tools 
used by an APT in the hands of cyber¬ 
criminals or hacktivists pose signifi¬ 
cant problems for every organization. 
An organization that keeps its systems 
and networks up-to-date with the lat¬ 
est versions and updates, uses antivirus 
software, practices the principle of least 
privilege, adopts meaningful policies, 
and educates its employees will likely be 
able to withstand, slow down, or detect 
most attacks. Although there are plenty 
of other methods that a true APT can 
use to initially compromise your systems 
and networks, these approaches typically 
require more costly and difficult attacks. 
The one method I didn't discuss is egress 
traffic monitoring—because even though 
some security experts recommend it, only 
the most sophisticated organizations can 
actually implement this technique. ^ 
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A ll Windows OSs use RDP for remote 
connectivity. As a greater percent¬ 
age of users have become mobile, 
the devices used to connect to remote 
workspaces have become more diverse 
and users' expectations for a rich, high-fidelity, 
completely remote experience have increased. To keep pace 
with the increased importance of a rich remote experience, native 
RDP has evolved by leaps and bounds in the past few generations. 

RDP 7.0, which was released as part of Windows Server 2008 R2 and Windows 7, 
has an awesome feature set, including the following: 

• Full 32-bit color support using an enhanced codec that uses less bandwidth than when using 
24-bit color 

• True multi-monitor support with each display treated as a distinct display area 
• Bidirectional audio redirection that enables a great audio experience, including VoIP-type 
applications 

• RDS Easy Print, which allows driverless printing to remote Server 2008 R2, Server 2008, or 
Windows 7 desktops 

• Aero Glass remoting, which provides the Aero Glass experience for remote sessions as long as the 
local client supports Aero Glass; includes not only the Aero theme but also the 3D animations 
and desktop composition features, such as Flip 3D and live taskbar preview 
• Windows Media Player remoting, which enables smooth media playback by sending the media 
primitives (raw data) to the client for playback, provided the local client has this capability 


The final piece 
to a rich RDP 
experience 

byJohnSavill 


For the Aero Glass experience and rich multimedia playback, RDP uses remoting and essentially 
redirects the desktop composition and graphics/audio rendering from the remote session to the local 
client, taking advantage of the local client's capabilities and resources to provide a great experience. 
For example, instead of a Windows Media Video (WMV) file being rendered on the remote server 
and the bitmap screen updates being sent over UDP for display on the local client, with Windows 
Media Player remoting, the data contained in the WMV file (the primitive) is sent over RDP to the 
local client. The local client then performs the decoding and rendering of the WMV file, saving a lot of 
bandwidth and providing very smooth playback because we aren't sending a huge amount of screen 
updates over the network. This means when I connect to my remote session from a rich client, such 
as a Windows 7 desktop, I get a pseudo-local experience, with full graphics fidelity. However, if I con¬ 
nect from a more basic client that doesn't have Aero support or multimedia redirection, I don't get 
any of the Aero experience. In addition, media playback isn't as smooth because it's rendered on the 
remote desktop, giving a far more basic experience and likely the dreaded jagged playback. This is true 
when connecting to a session-based solution, such as a Remote Desktop (RD) Session Host server, 
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or a virtualized client OS solution, such as 
a Windows 7 Virtual Desktop Infrastructure 
(VDI) environment. RemoteFX solves this 
inconsistency by giving a consistent end- 
user experience regardless of the capabili¬ 
ties of the end client. 

What Is RemoteFX? 

RemoteFX was introduced in Server 2008 R2 
SP1 and actually consists of three technolo¬ 
gies that are aimed at VDI environments 
running Hyper-V 2008 R2 SPl-enabled 
servers, with Windows 7 SP1 running as 
the client OS in the virtual machines (VMs). 
The great news is that RemoteFX is avail¬ 
able in both Server 2008 R2 SP1 and the 
free Microsoft Hyper-V Server 2008 R2 
SP1 server OS. This free OS is commonly 
used in VDI implementations because you 
don't need the server virtual guest rights 
that exist in the Enterprise and Datacenter 
editions if you're running a client OS-only 
virtualized environment. 

RemoteFX actually evolved from 
technologies first created by Calista 
Technologies and acquired by Microsoft 
in 2008. These technologies focused on 
providing a richer thin-client experience 
and are now part of the core Windows 
platform. 

Virtualized GPU. RemoteFX consists of 
three technologies, one of which provides 
the ability to virtualize the graphics pro¬ 
cessing unit (GPU) in the server and make 
these virtual GPUs available to the VMs 
running on the Hyper-V server. The virtual 
GPU allocated to the VM can be leveraged 
by the Windows 7 SP1 guest OSs running 
in those VMs. Windows 7 SP1 includes 
updated integration services, which lets 
guest OSs see the virtualized GPU and use 
it without additional software installation. 
This means the virtual Windows 7 SP1 
guest now sees a full-featured GPU, which 
allows advanced graphics to be rendered 
server-side. The screen output is then 
sent to the RDP client for display, includ¬ 
ing server-side rendering of Aero effects, 
multimedia, and other types of media and 
applications not previously possible, such 
as Adobe Flash and Microsoft Silverlight 
and DirectX applications. Because all the 
rendering is performed on the Hyper-V 
server within the VM, the actual client 
capability no longer matters. You can 
connect from a full, rich client or a basic 


thin client; the experience and graphics 
fidelity will be the same because all the 
graphics processing can be done server- 
side. The only requirement is that the end 
client must support RDP 7.1, which was 
introduced in Windows 7 SP1 and includes 
RemoteFX support. 

After a client VM is RemoteFX enabled 
and is connected to from a RemoteFX- 
capable client, it will appear as if the VM 
actually has a GPU and an amount of 
graphics memory based on the RemoteFX 
configuration for the VM. Running DxDiag 
on the client will show the presence of a 
Windows Display Driver Model (WDDM) 
graphics driver and the Microsoft RemoteFX 
Graphics Device along with support for 
DirectDraw, Direct3D, and AGP texture 
acceleration, as Figure 1 shows. The initial 
RemoteFX release supports DirectX 9.0c. 

DirectX support in the virtualized 
OS is very important. Many applications 
and services leverage DirectX, such as 
Silverlight, Internet Explorer (IE) 9.0, and 
even Microsoft PowerPoint 2010. With the 
availability of DirectX in remote environ¬ 
ments, most of the previous restrictions 
regarding the type of applications that can 
be run are eliminated. In addition, applica¬ 
tions now run with full fluidity; because all 
the rendering is performed server-side, the 
client you're using has no relation to what 
you can do. For example, you can be on a 
basic client that supports RemoteFX, and 
in that remote session you can be running 


Flash, Silverlight, and pretty much any 
other content. The only limitation you're 
likely to encounter regarding DirectX is the 
amount of graphics memory that's visible 
to the VM, which is based purely on the 
resolution and number of displays you 
configure the VM with—which I cover later 
in the article. 

A question that often comes up is 
whether multimedia redirection is still 
performed with RemoteFX. The answer is 
that multimedia redirection is still used if 
you have a rich client that has multimedia 
rendering capabilities. If you can leverage 
local processing capabilities and reduce 
the server's processing load, you should 
do so; however, the key point is you'll get 
the same experience regardless of whether 
your client supports multimedia redirec¬ 
tion—but the rendering will be performed 
on the server rather than the client. 

Another common question is whether 
OpenGL is supported. OpenGL is still 
used by certain applications. Although 
RemoteFX does support OpenGL, support 
is limited to OpenGL 1.1, which is provided 
out of the box in Windows. This version is 
quite old. Of course, we'd love to see more 
up-to-date OpenGL support in a future ver¬ 
sion of RemoteFX. 

Because the GPU is virtualized, we don't 
need a discrete GPU for every VM that will 
be RemoteFX enabled. Just like CPU vir¬ 
tualization, in which a single logical CPU 
(such as a core) can be mapped to many 



Figure 1: Running DxDiag from within a RemoteFX-enabled Windows 7 SP1 VM 
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virtual CPUs, a GPU can be virtualized to 
as many as 12 virtual GPUs, allowing great 
scalability. One key consideration when we 
virtualize the GPU is the amount of graph¬ 
ics memory each VM will need. You can't 
overcommit GPU memory; therefore, to 
achieve the 12:1 ratio, you need to ensure 
that the graphics card has sufficient video 
RAM for all the VMs. 

Server-side rendering of advanced 
graphics content is great, but it also means 
that more screen update data will need to 
be sent over the network to the client for 
display—especially with all the additional 
graphics-intensive applications that are 
supported. To ensure a good client experi¬ 
ence, RemoteFX is supported only for LAN 
connections in the initial SP1 release. This 
ensures enough bandwidth and low laten¬ 
cies. If you select any connection speed 
less than LAN (10Mbps or faster) on the 
Experience tab of the Remote Desktop 
Connection client, then RemoteFX will be 
disabled. 

New codec. Even if you ensure that 
RemoteFX is used only on LAN connec¬ 
tions, you'll still experience a lot of screen 
updates and therefore bandwidth usage. 
The second part of the RemoteFX tech¬ 
nology package is a new codec that was 
designed to efficiently encode and decode 
the display updates associated with the 
more intensive RemoteFX-enabled work¬ 
loads. This is the only part of RemoteFX 
that's available to RD Session Hosts, for¬ 
merly known as Terminal Servers. A Server 
2008 R2 SP1 RD Session Host can take 
advantage of the new RemoteFX codec for 
encoding of the screen updates. Separate 
hardware encoder modules are available 
for offloading of the encoding work. 

Enhanced USB redirection. The 
final piece of the RemoteFX technology, 
enhanced USB redirection, is often over¬ 
looked. However, this feature truly com¬ 
pletes the ability to have a full-featured 
remote desktop experience by enabling 
the redirection of basically any USB device 
from the local client to the remote session. 

Prior to the RemoteFX USB redirection 
feature, there were advancements in the 
type of devices that could be redirected 
to a remote session—for example, key¬ 
board, mouse, microphone, smart card, 
disk, imaging devices with Inbox-type 
functionality, and a few others that can be 
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redirected. However, these devices are all 
redirected by abstracting the device into 
one of the supported high-level RDP redi¬ 
rection device types. This means we can 
access these devices on the remote session 
without needing any drivers on the remote 
OS installed, but it also means we might 
miss device-specific functionality. In addi¬ 
tion, many types of USB devices can't be 
redirected if they don't fall into these high- 
level types, such as multi-function printers, 
advanced communication devices, scan¬ 
ners, barcode readers, USB foam missile 
rocket firing devices, and many more. 

RemoteFX's USB redirection solves this 
problem by actually redirecting at the USB 
port level in a similar way to how RDP 
handles redirection of serial and parallel 
ports. With RemoteFX USB redirection, 
the actual USB request blocks (URBs) are 
intercepted from the client and sent to 
the remote session. Thus, basically any 

RemoteFX is 
supported only for 
LAN connections 
in the initial SP1 
release. 

type of USB device can be redirected using 
the RemoteFX USB redirection feature; 
however, this doesn't mean you shouldn't 
continue to use RDP high-level device redi¬ 
rection for supported devices. RemoteFX 
USB redirection is designed to supplement 
RDP high-level device redirection to add 
support for devices that don't work with 
the standard RDP. 

For RDP high-level supported device 
redirection, such as input (keyboard/ 
mouse), audio, drive, smart card, port, 
printer (RDS Easy Print), and Plug and Play 
(PnP), optimized protocols are used for 
each of the redirection types to minimize 
bandwidth usage and to ensure the best 
responsiveness and optimal experience for 
that type of device. In addition, RDP high- 
level device redirection doesn't require 
extra drivers in the remote session, and 
multiple remote sessions can access the 
same local device simultaneously. Because 
of these optimizations, RDP high-level 
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device redirection can be used in both LAN 
and WAN environments. 

Next, consider RemoteFX USB redirec¬ 
tion in which you're redirecting at the USB 
port level to the remote session. Because 
the port is being redirected, no device- or 
load-specific optimizations can be made. 
In addition, the device driver must be 
installed in the remote session because 
on the remote session it will look as if the 
device has been plugged in to a virtual 
USB port, so it needs the driver to use the 
device. Also, because we're redirecting at 
the port level, only one session can access 
a device at a time, including the local client. 
Therefore, if you redirect a device using 
RemoteFX USB redirection from your local 
client, no other session can see the device, 
nor can your local client. (So, make sure 
you don't try to RemoteFX USB redirect 
your keyboard!) RemoteFX USB redirection 
is also optimized for LAN environments 
and can't be used on WAN connections. 

Figure 2 shows several devices that I can 
use RemoteFX's USB redirection capability 
to redirect. I couldn't have used standard 
RDP to redirect all these devices. This pow¬ 
erful feature means I can have pretty much 
any USB device available in my remote ses¬ 
sions after I install the driver. Combined with 
high-level RDP redirection, RemoteFX USB 
redirection provides a great experience. 

By default, RemoteFX USB redi¬ 
rection is disabled on clients. You can 
enable it through a local policy or through 
Group Policy. Navigate to \Computer 
Configuration\Administrative Templates\ 
Windows Components\Remote Desktop 
Services\Remote Desktop Connection 
Client\RemoteFXUSB Device Redirection, 
and set the Allow RDP redirection of other 
supported RemoteFX USB devices from this 
computer option to Enabled. Next, select 
the option to indicate who has RemoteFX 
USB redirection rights—either adminis¬ 
trators only or administrators and users. 
Finally, click OK and close Group Policy 
Editor (GPE). After the policy change takes 
effect, the option to redirect RemoteFX 
USB devices will be available in the Remote 
Desktop Connection client. 

Although RemoteFX USB redirection 
doesn't use any GPU resources, it's closely 
tied to the RemoteFX experience and can't 
be used with RD Session Hosts or a non- 
RemoteFX-enabled Windows 7 SP1 VDI 
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Figure 2: RemoteFX exposes your USB devices as candidates for redirection to a remote session 


VM. If you want RemoteFX USB redirection, 
you need GPUs in your Hyper-V servers and 
must enable your VMs for RemoteFX. 

RemoteFX Requirements and Usage 

This all sounds great; we have a consistent 
high-fidelity graphics experience regard¬ 
less of the client resources, the ability 
to run advanced graphics applications 
using server-side rendering, efficient use 
of bandwidth, and redirection of any USB 
device to the remote session. So how do 
we actually obtain access to RemoteFX 
capabilities? 

First, you need to know which versions 
of Server 2008 R2 SP1 support RemoteFX. 
Server 2008 R2 SP1 Standard, Enterprise, 
and Datacenter full installations all support 
RemoteFX, in addition to the Server Core- 
based free Hyper-V Server 2008 R2 SP1. 
Server Core installations of Server 2008 R2 
SP1 don't include RemoteFX; as I noted, 
you need to be running a full installation 
of Server 2008 R2 SP1 or the free Hyper-V 
Server 2008 R2 SP1 if you want Server Core 
(which is the version of Windows you'd 
typically be running for VDI environments 
anyway). 

What about hardware? Remember that 
we're virtualizing the GPU in the server 
and making virtual GPUs available to the 
VMs that actually perform the server- 
side graphics rendering. Therefore, the 
first requirement is to have a GPU in the 


Hyper-V server. This GPU must support 
both DirectX 9.0c and DirectX 10.0 and 
have dedicated video memory. In addi¬ 
tion, if you have more than one GPU in a 
Hyper-V server, the GPUs must be identi- 

You can enable 
RemoteFX USB 
redirection through 
a local policy or 
Group Policy. 

cal. The amount of memory required will 
vary depending on the number of VMs you 
plan to RemoteFX enable. 

Enabling RemoteFX on a Hyper-V server 
is very simple as long as the server meets 


all the requirements. RemoteFX is part of 
the Remote Desktop Services role, so to 
enable RemoteFX we use Server Manager 
and enable the RemoteFX role service, 
which is a component of the Remote 
Desktop Virtualization Host role service, 
as Figure 3 shows. You need to reboot to 
complete the installation. If you're running 
the free Hyper-V server, you can use the 
following PowerShell commands to enable 
RemoteFX: 

Import-Module ServerManager 
add-windowsfeature -name RDS-RemoteFX 

After RemoteFX is installed on the 
server, you need to enable a VM for the 
technology. To do this, use Hyper-V 
Manager to view the VM settings. Under 
Add Hardware, select the option to add a 
RemoteFX 3D Video Adapter and select 
the maximum number of monitors and 
the maximum resolution. These settings 
are used to calculate how much video RAM 
should be assigned to the VM, as Figure 4 
shows. The more monitors you assign to a 
VM, the lower the maximum resolution. 
Table 1 shows the combinations possible 
for number of monitors and resolution, as 
well as the amount of video RAM assigned. 
For more information about performance 
counters related to RemoteFX, see my 
FAQs "Exactly how much GPU memory is 
allocated to a virtual machine (VM) based 
on the number of monitors and resolution 
set?" (www.windowsitpro.com, InstantDoc 
ID 130049) and "Are there any performance 
counters to monitor the performance of 
RemoteFX?" (www.windowsitpro.com, 
InstantDoc ID 130048). 

Note that you don't have to use all 
the monitors configured for a VM or the 



Figure 3: Enabling RemoteFX functionality on a Windows Server 2008 R2 SP1 server 
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Figure 4: Setting the number of monitors and maximum resolution 


Table 1: Possible Combinations of Number of Monitors and Resolution 

Maximum Resolution 

1 Monitor 

2 Monitors 

3 Monitors 

4 Monitors 

1024x768 

75MB 

105MB 

135MB 

165MB 

1280x1024 

125MB 

175MB 

225MB 

275MB 

1600x1200 

184MB 

257MB 

330MB 


1920x1200 

220MB 

308MB 




maximum resolution; this information is 
used for the video memory assignment so 
the VM can support the configured number 
of monitors and resolution if needed. Also 
notice that we max out at 330MB. If you 
have an application that requires more 
graphics memory than 330MB, RemoteFX 
isn't the right solution for you (yet). 
Enabling RemoteFX uses an additional 
amount of normal system memory for each 
VM, which varies based on the number of 
monitors and the resolutions. The amount 
of video RAM a server needs depends on 
the number of VMs you RemoteFX-enable 
and the number of monitors and resolution 
configured for each. 

Beyond just the GPU and video memory, 
you should be careful about video card 
and driver selection. Although a consumer 
graphics card might work fine in a lab envi¬ 
ronment for a single VDI client just to play 
around with RemoteFX, for production envi¬ 
ronments with multiple VDI-enabled VMs 
you need professional-grade GPUs. Equally 
important is the WDDM GPU driver. To help 
make the GPU selection easier, Microsoft 
started a RemoteFX certification program for 
the GPU and driver to help find a GPU that 
will deliver a great RemoteFX experience. 
For information about RemoteFX partners, 
see the Remote Desktop Services (Terminal 
Services) Team Blog at blogs.msdn.com 
/b/rds/archive/2010/07/08/more-partner- 
momentum-around-microsoft-remotefx-in- 
windows-server-2008-r2-sp 1 -beta.aspx. One 
problem you might run into on your servers 

30 OCTOBER 2011 Windows IT Pro 


is that the installation of the required WDDM 
driver might break the use of remote base¬ 
board management controllers that need 
XDDM drivers. For a solution to this issue, 
see my FAQ “I use a DRAC/IFO to man¬ 
age my Hyper-V server but since enabling 
RemoteFX on the server the DRAC/IFO no 
longer works. Why not?" (www.windowsit 
pro.com, InstantDoc ID 130026). 

Today, many servers don't have GPUs or 
even PCI Express slots suitable for installing 
a GPU. This oversight makes implementing 

Enabling RemoteFX 
uses an additional 
amount of normal 
system memory 
for each VM, which 
varies. 

RemoteFX difficult. In the future, more 
server hardware partners will be releas¬ 
ing servers with multiple GPUs and PCI 
Express slots specifically to enable GPU 
virtualization for VDI implementations. 

Another requirement to enable 
RemoteFX is that the processor must sup¬ 
port Second-Fevel Address Translation 
(SEAT), which is known as Extended Page 
Tables (EPT) by Intel and Nested Page 
Tables (NPT) by AMD. Although not a 
requirement, RemoteFX encoders can also 
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be installed on servers to offload some of 
the RemoteFX encoding and increase a 
server's scalability. (I discussed this topic 
earlier in the article in reference to using 
the RemoteFX codec with RD Session 
Hosts.) Another RemoteFX requirement 
is that the OS running in the VM must be 
Windows 7 Enterprise SP1 or Windows 7 
Ultimate SP1. 

The final requirement is the client 
itself—that is, the device with which you 
connect to the RemoteFX-enabled VM. 
The client must support RDP 7.1 and 
RemoteFX. Although obvious choices such 
as Windows 7 SP1 work great as clients, as 
does the new Microsoft Windows Thin PC, 
a whole new generation of thin clients are 
being released that are very small in form 
factor but have full RemoteFX support, 
providing a great end-user experience with 
hardly any hardware footprint and minimal 
power use. 

The Best Is Yet To Come 

RemoteFX is an awesome technology that 
totally changes the capabilities available 
to users connecting to Microsoft VDI envi¬ 
ronments and eliminates many of the 
past restrictions. Although the hurdle of 
no GPUs in servers might be an initial 
challenge, this obstacle will be overcome 
with new server lines being released in 
the future. In addition, RemoteFX is only 
in version 1.0; I expect the technology to 
improve with age. 

For information about enabling 
RemoteFX in a Windows 7 SP1 VM, check 
out my FAQ "How do I enable RemoteFX 
for my Windows 7 guest OSs?" (www 
.windowsitpro.com, InstantDoc ID 125627). 
See Microsoft's RemoteFX page at www 
.microsoft.com/windowsserver2008/en/ 
us/rds-remotefo.aspxfor some performance 
tweaks. Finally, see RemoteFX in action at 
www.savilltech.com/videos.html. ^ 
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A lthough it's not as obvious as in an application like Microsoft SQL Server, databases are 
at the heart of Microsoft Exchange Server. Databases need constant tending to remain 
efficient. Exchange maintenance comes in two flavors: ongoing and on-demand. This 
article explores the two types of maintenance, what they're used for, and the changes 
Microsoft made in Exchange Server 2010—including some new cmdlets that are available 
in Exchange Server 2010 SP1. 


Repairs can be 
ongoing or 
on-demand 


The Need for Maintenance by Tony Redmond 

Some people would assert that a properly designed and engineered database application should be 
self-maintaining. However, such Utopia has yet to be achieved in most applications—and Exchange is 
no different. Maintenance is needed to optimize internal database structures, remove old data that's 
no longer required, and apply management policies. Most of this work occurs in the background as 
part of the ongoing maintenance performed within the Exchange Information Store process, whereas 
the Managed Folder Assistant takes care of applying the rules of retention policies to mailboxes that 
come under the control of these policies. (For more details about the processing performed by the 
Managed Folder Assistant, see the Learning Path.) 

Exchange 2010 introduces a new database schema that marks the first overhaul of the internal 
structures since Exchange Server 4.0, in 1996. Previous tweaks, such as the increase in page size from 
4KB to 8KB in Exchange Server 2007, helped Exchange cope with the demands of modern messaging 
but didn't provide the foundation for operating in a world where a 10GB mailbox will soon be the 
norm, even in corporate email systems. The new schema introduced in Exchange 2010 uses a set of 
internal tables that belong to individual mailboxes rather than using tables that contain data for a 
complete database. This change doesn't sound dramatic, but it lets the Store retrieve data much more 
efficiently to respond to user requests, especially as the number of mailboxes supported on a server 
increases to the several-thousand level commonly seen in production today. Other internal database 
changes, such as increasing the page size to 32KB and deferring view updates until items are requested 
by clients, transform the I/O profile from multiple small random I/Os to fewer and larger sequential 
1/Os. Essentially, Exchange 2010 processes more data in bigger chunks rather than nibbles. (Microsoft 
sometimes calls the use of random small I/Os "nickel and diming.") 

This approach is sensible given the swelling size of an average message from 4KB in circa 1996 
to well over 100KB today, and the results are seen in a radical decrease in I/O operations per second 
(IOPS) generated by each mailbox. As with all aspects of performance, your mileage will vary depend¬ 
ing on the details of your deployment, especially the storage hardware you use and how the different 
files (system, Exchange, databases, and transaction logs) are laid out—but in general, it's fair to say that 
companies that deploy Exchange 2010 in production will experience a large reduction in I/O demand 
over Exchange 2007 and a massive reduction when compared with Exchange Server 2003. Microsoft's 
publicity for Exchange 2010 indicates a reduction of 70 percent in I/O between Exchange 2003 and 
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Exchange 2007 and a further improvement 
of about the same because of the changes 
made to Exchange 2010. However, such 
figures should be taken with a grain of salt 
until you verify the performance charac¬ 
teristics of your production servers. There's 
no doubt that you'll see improvement. 
The question is simply how much better 
Exchange 2010 performs on the type of 
hardware that you've chosen to deploy. 

Operating In a 24 x 7 World 

Exchange has always had the capacity to 
perform background maintenance. The 
difference in Exchange 2010 is that Exten¬ 
sible Storage Engine (ESE) maintenance, 
or the maintenance done for internal data¬ 
base structures, is done on a 24 x 7 basis 
by default rather than within a predefined 
time window, which is the approach used 
by legacy Exchange servers. (If desired, you 
can create a custom maintenance window 
for Exchange to use.) The problem with 
relying on a time window is that there 
might be too much work to get through 
in the available time. This problem grows 
in line with database sizes, so as database 
sizes increase, the only solution is to assign 
a larger time window in hopes that you 
keep pace with the work. 

Maintenance operations are essential 
for an Exchange database because they do 
the following: 

• Remove items and mailboxes from 
the database (a hard delete) after their 
retention time expires 

• Discover pages that were previously 
occupied by deleted items and 
mailboxes, and free up these pages for 
reuse by the database 

• Validate checksums on pages to ensure 
that they aren't corrupt 

Exchange 2010 still performs these main¬ 
tenance operations, but the big difference 
is that ESE scanning can now occur on an 
ongoing 24 x 7 basis, unless you disable 
background maintenance for a database by 
updating its properties, as Figure 1 shows. 

When 24 x 7 ESE scanning is enabled 
for a database, the Store validates page 
checksums on an ongoing basis to ensure 
that the integrity of the database is con¬ 
tinually verified. This is important because 
Exchange 2010 also includes the ability 
to patch single problem pages within a 
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database availability group (DAG). Essen¬ 
tially, if the Store detects a problem page 
(one that fails a checksum check), it's able 
to signal to servers that host other copies 
of the database to ask them to provide a 
good copy of the page. After a good copy 
is received, the Store is able to patch the 
database and restore its overall integrity. 
Automatic problem page detection and 
fixing is a tremendous advantage of run¬ 
ning mailbox servers in a DAG because it 
removes the classic “-1018 page corrup¬ 
tion" problem from the list of things that 
administrators have to worry about. 

24 x 7 ESE scanning isn't the only main¬ 
tenance that proceeds on a continuous basis. 
Exchange 2010 performs online defragmen¬ 
tation to keep internal structures optimized, 
items are removed from the database imme¬ 
diately after their retention period expires 
instead of waiting for the next maintenance 
window, and deleted pages are recycled so 
that they can be reused to store new items 
immediately. Finally, the Store analyzes the 
effect on database contiguity as transactions 
occur and, if necessary, the Store launches 
a background thread to move data between 
pages to make sure Exchange can fetch large 
chunks of contiguous data instead of resort¬ 
ing to a hunt and peck to find all the pages 
required for a transaction in multiple parts 
of the database. 

All of these activities are auto-throttled 
to ensure that background maintenance 
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never takes away from the ability of the 
server to handle client requests. In other 
words, in times of peak demand, Exchange 
limits the amount of background main¬ 
tenance and then increases background 
maintenance when user demand drops. 

Some additional CPU cycles and I/O 
are necessary to perform the processing 
required by maintenance on a 24 x 7 basis, 
such as shuffling pages around. However, 
this shouldn't be a concern for most mod¬ 
ern multi-core servers, especially given the 
I/O gains made elsewhere. 

0n-Demand Maintenance 

Given all the automatic maintenance that's 
going on in the background, administrators 
have less reason to intervene to perform 
on-demand maintenance on Exchange 2010 
servers. However, we still don't live in a per¬ 
fect world, and administrators must be able 
to recognize the two basic types of database 
corruptions that occur: logical and physical. 

Logical errors are evident in problems 
such as an incorrect count in a folder or a 
view that doesn't include all the items that 
it should for some reason. Logical errors 
often result from a client-side bug in which 
a client manipulates items in a folder but 
fails to update Messaging API (MAPI) 
flags properly. These problems are usually 
tolerable in that you can function perfectly 
well even when errors are present in a 
folder or mailbox. Some users don't even 



Figure 1: Setting the maintenance properties for a mailbox database 


www.windowsitpro.com 
























EXCHANGE 2010 SP1 DATABASE MAINTENANCE ■ 


learning Path 

To learn more about Exchange Server 
2010's retention policies: 

"Exchange 2010 MRM: How to Modify and Reduce 
Help Desk Calls About Retention Policies," 
InstantDoc ID 125919 

"Exchange 2010 MRM: Implementing New Retention 
Policies,"InstantDoc ID 125359 

"Email Retention Policies in Exchange 2010," 
InstantDoc ID 103086 


realize that errors exist. After all, if Micro¬ 
soft Outlook reports that a folder holds 
1,119 items, will anyone take the time to 
count all the items to verify that Outlook 
has correctly reported the count provided 
to it by Exchange? 

Physical errors are far worse in terms 
of their effect on the smooth running of an 
Exchange server because they can render a 
database completely inaccessible to users. 
In the past, a physical error or corrup¬ 
tion could be caused by a software bug or 
hardware failure. Today, the vast majority 
of physical errors are caused by hard¬ 
ware, such as problems in a disk controller 
when it attempts to write an updated page 
correctly back into a database. Physical 
corruption causes data loss if pages that 
hold indexes and mailbox contents can't 
be fixed. 

In previous versions of Exchange, 
on-demand maintenance is performed 
with two command-line utilities pro¬ 
vided as part of the Exchange toolkit. 
ISINTEG (the Information Store Integrity 
maintenance utility) takes care of logi¬ 
cal errors; ESEUTIL (or even EDBUTIL if 
you remember back that far) handles 
problems at a much lower physical level, 
in the bowels of the database. Both utili¬ 
ties are throwbacks to the days when it 
was acceptable to take databases offline 
for several hours to perform preventive 
maintenance. As such, these utilities are 
anathema to administrators. Given the 
size of mailbox databases today, it could 
take several hours for a utility to complete 
processing, creating a potentially huge 
effect on the ability to meet service level 
agreements (SLAs) and other operational 
requirements. 
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A New Approach to Fixing Logical 
Corruptions 

ISINTEG isn't used in Exchange 2010 
because Microsoft didn't do the work 
to update the utility to reflect the new 
database schema. In fact, the change in 
focus within the schema from tables that 
work across the entire database to those 
that are specific to a mailbox means that 
it's increasingly rare to encounter logical 
issues that interfere with a database—and 
if you find a problem with a mailbox, a 
simple mailbox move from one database 
to another is often sufficient to sort out 
problems with structures, such as named 
properties, views, and item counts. The 
reason a mailbox move fixes these prob¬ 
lems is that the move operation essentially 
rebuilds the new mailbox in the target 
database and therefore eliminates many 
logical problems as data is moved. (For 
more information about how Exchange 
2010's move operations work, see "Mov¬ 
ing Mailboxes the Exchange 2010 Way," 
InstantDoc ID 103651.) 

In Exchange 2010 SP1, Microsoft com¬ 
pleted the move away from ISINTEG by 
providing a new set of repair cmdlets 
for mailbox and public folder databases 
to allow administrators to create repair 
requests that address the most common 
causes of corruption for views and item 
counts. These include the following: 

• Search folder corruptions 
(mailbox) 

• Incorrect aggregate counts on folders 
(mailbox) 

• Incorrect contents returned by folder 
views (mailbox) 

• Public folder replication state 

• Public folder view verification 

• Public folder physical corruption 

These repair cmdlets use roughly the 
same model as Exchange 2010 mailbox 
move, import, and export requests in 
that an administrator creates a repair 
request that's queued for processing by 
the Store, which then performs what¬ 
ever repairs are required asynchronously 
with the database online. There's no 
need for the user to log out of his or 
her mailbox while the Store examines 
and adjusts internal mailbox structures. 
There's no UI available in Exchange 
2010 SP1 to allow repair requests to be 
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generated from the Exchange Manage¬ 
ment Console (EMC) or the Exchange 
Control Panel (ECP), so everything has 
to be managed using Exchange Manage¬ 
ment Shell (EMS) commands. Also, you 
can't run mailbox or public folder repair 
requests against legacy Exchange serv¬ 
ers because this functionality depends 
on the Active Directory (AD) schema 
updated by Exchange 2010 SP1. 

The New-MailboxRepairRequest cmd- 
let creates a repair request for a mailbox, 
whereas the New-PublicFolderDatabase 
RepairRequest cmdlet creates a repair 
request for a public folder database. For 
example, this command creates a mailbox 
repair request to check that folder views 
are valid: 

New-Mai1boxRepairRequest -Mai 1 box 
'Redmond, Tony' -CorruptionType 
FolderView 

If you add the -DetectOnly parameter 
to the request, Exchange will report any 
corruption that it finds but won't repair 
it. The other corruption types that can 
be fixed in a mailbox are SearchFolder, 
AggregateCounts, and ProvisionedFolder. 
These repairs fix problems with search 
folders, counts on folders, and provi¬ 
sioned fields. 

You can perform several repairs with 
one pass through a mailbox by specifying 
a list of the different fixes that you want to 
make. For example: 

New-Mai1boxRepairRequest -Mai 1 box 
'Redmond, Tony' -CorruptionType 
FolderView, SearchFolder 

The Archive parameter defines whether 
or not the Store scans the mailbox's per¬ 
sonal archive. If omitted, the archive isn't 
processed—so to include the archive in 
the repair, we need a slightly modified 
command: 

New-Mai1boxRepairRequest -Mai 1 box 
'Redmond, Tony' -CorruptionType 
FolderView, SearchFolder -Archive 

You can also scan all the mailboxes in 
a database at one time to fix any corrup¬ 
tions that are found in any mailbox. For 
example: 
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Figure 2: Submitting a mailbox repair request 


New-Mai1boxRepairRequest -Database 
'VIP Mailboxes' -CorruptionType 
FolderView, SearchFolder, 
AggregateCounts 

Only one type of corruption can cur¬ 
rently be fixed for a public folder database. 
This is the replica list, which is repaired as 
follows: 

New-PublicFolderDatabaseRepairRequest 
-Identity 'PFDatabasel'-CorruptionType 
ReplicaList 

When you submit a new mailbox or 
public folder repair request, Exchange 
responds with a task identifier and the 
name of the server that will handle the 
request, as Figure 2 shows. This is the mail¬ 
box server that currently hosts the active 
copy of the database or where the public 
folder database is mounted. 

The only evidence of the progress that 
Exchange makes with the repair exists 
in the application event log, which cap¬ 
tures event 10047 when a mailbox repair 
request is initiated (or event 10059 when 
you request repairs for a complete data¬ 
base) and event 10048 when it's completed 
successfully and no corruptions remain in 
the mailbox. These events are logged on 
the server that processes the request. If a 
corruption is detected, Exchange logs event 
10062 with the details of the corruption that 
was found and the results of the action. 
Note that the Store might need to make 
several repairs before it can eliminate all 
problems from a mailbox, so you need to 
continue running repairs until event 10048 
is logged to report a clean mailbox. 

To ensure that performance isn't 
affected, you can run only a single repair 
against a complete database on a server 
at one time. However, you can run up to 
100 individual mailbox repairs concur¬ 
rently on a server (spread across multiple 
databases). 

If the database has copies within a 
DAG, the results of any repairs made to fix 
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problems found in the tables within the 
mailbox are replicated, along with other 
transactions to the database copies, and 
are logged as events in the application 
event log on the server where the repair 
is performed. Much the same happens 
when repairs are applied to a public folder 
database, with the exception that the repair 
occurs on a specified public folder data¬ 
base and any results are replicated using 
the public folder replication mechanism. 

You can't cancel or review the current 
status of a repair job. This functionality is 
likely to be added by Microsoft in a future 
release. For now, the only way to terminate 
a repair job is to dismount a database 
or move the database to another server 
(or if the database crashes because of a 
software bug). These actions clear out any 
repair jobs that might be active within the 
database. 

The Myth Around ESEUTIL 

At times, it seems as if some commenta¬ 
tors endowed ESEUTIL with mythical 
abilities to cure all known problems in 
Exchange databases. Furthermore, they 
recommended that ESEUTIL should be 
run regularly to compact and repair 
databases so that the database would 
be as efficient as possible. Let's be clear: 
This is a myth and a fallacy that should be 
consigned to the wastebasket as quickly 
as possible. My view is that ESEUTIL is 
brain surgery for Exchange databases, 
because if ESEUTIL isn't run by an expe¬ 
rienced practitioner for the right reasons, 
it can turn a database into an incoherent 
lump. 

There was a time when running 
ESEUTIL against a database was the only 
way to return space to the storage subsys¬ 
tem and fix internal problems. That time 
passed at the start of the present decade 
when Microsoft finally figured out how to 
make background maintenance recycle 
deleted pages efficiently. Many of today's 
administrators were still in short pants—it's 
that long ago! 
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There are still good reasons to run 
ESEUTIL, but not on an ongoing basis 
and certainly not to free up disk space. 
You might need to run ESEUTIL to make 
a backup copy of a database consistent 
before it can be mounted as a recovery 
database, or you might be advised by 
Microsoft Customer Service and Support 
(CSS) to run ESEUTIL to fix a low-level 
problem in the database that can't be fixed 
with the repair cmdlets—in this instance 
it's almost sure that some data loss will 
occur because ESEUTIL will drop any page 
that it can't repair. 

Databases operating within a DAG have 
a major advantage over non-replicated 
databases in that they can patch single 
problem pages by requesting good data 
from another database copy. The requested 
data is replicated in the transaction log 
stream and replayed by the Store to patch 
the problem. 

Aside from the cases that I outlined, I 
can't think of a good reason why I would 
want to dismount a database and remove 
access from users to run ESEUTIL for 
several hours to pursue some ethereal 
improvement that might or might not 
be applied to the database. In a produc¬ 
tion environment, this just doesn't make 
sense. 

The Facts of Life 

Database maintenance is a fact of life for 
Exchange administrators. Most of the work 
is automatic and progresses behind the 
scenes, but there are some on-demand 
actions that must be taken to fix problems 
that occur at logical and physical levels. 
The new repair cmdlets introduced in 
Exchange 2010 SP1 are a welcome advance 
because they allow on-demand logical 
repairs to be performed online. However, 
we're still grappling with the command¬ 
line ESEUTIL utility—surely it must be next 
on the list for Microsoft to modernize and 
update! ^ 
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FEATURED 



M any businesses, regardless of size, are looking to SANs to address increasingly 
demanding storage needs. SANs offer flexibility for a variety of common infrastruc¬ 
ture scenarios, including database and email servers, common file storage, and 
virtualization. SANs are incredibly popular when fault tolerance is a requirement, 
allowing quick recovery from disk or server failure. SANs can be built using a variety 
of technologies, ranging from DAS, to Fibre Channel, to incredibly popular iSCSI 
networks. Although many SAN architects and administrators focus on building a fault-tolerant disk 
subsystem, or clustering the servers in front of them, it isn't uncommon to find attention to the actual 
connections to the SAN neglected, with basic configurations that have single points of failure or less 
than optimal overall performance caused by bottlenecks and misconfiguration. 

Complicating matters is the fact that many SAN vendors provide their own device drivers and 
management software designed to work with their equipment—but the OS can't take true advantage 
of them. Often, SANs built using equipment from multiple vendors must use generic drivers and might 
lack end-to-end management. 

To address these problems, Microsoft built support for Multipath I/O (MPIO) in Windows Server, 
which is designed to help businesses build highly available, fault-tolerant SAN configurations. As an 
additional benefit, MPIO can improve performance depending on your SAN equipment and overall 
configuration. In this article, I describe some of the features of MPIO in Windows Server 2008 R2, and 
I provide general recommendations for leveraging this powerful feature in your environment. 


Build a highly 
available, fault- 
tolerant SAN 
configuration 

by John Howie 


MPIO Basics 

Before going into detail about the features of MPIO in Windows Server, it's necessary to cover a few 
basics about the available configuration options, including the benefits of each option. Note that some 
of these options might not be available to you, depending on the type of SAN you have, as well as the 
support for MPIO available from the manufacturer of the components that it consists of. Server 2008 
R2 supports the following six MPIO configurations: 

• Failover 

• Failback 

• Round-Robin 

• Least Queue Depth 

• Weighted Path 

• Least Blocks 


Failover. The simple Failover configuration, also known as Fail Over Only, requires two or more 
paths from the server to the disks whether DAS, via host bus adapters (HBAs) in a Fibre Channel sys¬ 
tem, or NICs and paths in an iSCSI SAN. The SAN administrator will select one path as the primary 
communication path and each additional path as failover paths. Each failover path has a preference 
assigned to it, and each path is used in turn from the most preferred to the least preferred when the 
primary path fails. When the primary path is restored, the SAN administrator must manually configure 
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Figure 1: iSCSI MPIO Failover and Failback 


the system to use it, switching back from 
the failover path in use. 

Failback. The second configuration 
option, called Failback, is somewhat 
related to the Failover option. Like Failover, 
a primary path is defined; when it fails, 
communication is routed over alternative 
paths in decreasing order of preference. 
However, unlike Failover, communication 
is routed back over the primary path when 
it's restored. Failback is typically used when 
a primary communication path is faster or 
has fewer devices between the server and 
the disk subsystem than Failover paths 
and therefore has fewer points of failure. 
It should be noted that Failover and Fail- 
back operations aren't necessarily instan¬ 
taneous, and there might be momentary 
disruptions in service when communica¬ 
tion paths are switched. Although many 
applications won't suffer from momentary 
disruptions, high-performance applica¬ 
tions such as database servers and heav¬ 
ily used email mailbox servers might see 
even a momentary disruption as a disk 
failure, which could cause unintended 
consequences such as server cluster node 
failovers on connected servers. For this 
reason, Failover is typically preferred over 
Failback unless the differences between the 
primary and alternative paths are marked. 
Figure 1 shows an example of Failover and 
Failback configurations in an iSCSI SAN 
deployment. 

Round-Robin. When a server has two 
or more communication paths, the SAN 
administrator can choose to leverage them 
in a Round-Robin configuration. In this 


configuration, if a path fails, it ceases to be 
used by the server and is dropped from the 
round-robin pool of available paths until 
communication is restored. The advantage 
of this configuration is that requests are 
sent over multiple paths to the disk subsys¬ 
tem, which can improve performance. This 
configuration doesn't take into account the 
performance characteristics of each path, 
the complexity of the requests, or a queue 
of outstanding requests on a path, if any. 
To address potential performance issues, 
a SAN administrator should use this con¬ 
figuration only if all communication paths 
are equal. In addition, it can be assumed 
that all requests will likely be equivalent 
and there will be no queue of outstanding 
requests on any path greater than on any 
other path (which can happen if there are 
switches or routers on the path). If these 
assumptions hold true, a SAN adminis¬ 
trator might still fail to see an increase in 
overall performance if the disk subsystem 


simply takes all requests into a single queue 
for processing regardless of the number 
of paths they travel over, and if the time 
it takes to process each request is greater 
than the time it takes a request to travel 
over any individual path. Performance can 
also degrade in a round-robin configura¬ 
tion if there's a failure in a component on 
a path, as well as if failover is configured 
at the component level, which results in 
lower performance. Figure 2 shows a typi¬ 
cal round-robin configuration in a Fibre 
Channel SAN. A variation on Round-Robin 
configuration, called Round-Robin With 
Subset, is one in which one or more paths 
are set aside for failover in decreasing 
order of preference. When all round-robin 
paths become unavailable, the highest 
preference failover path available is used 
until one or more paths in the round-robin 
configuration are restored. 

Least Queue Depth. The next configu¬ 
ration available to the SAN administrator 
is called Least Queue Depth. It requires 
drivers and components in the SAN to be 
able to report the number of outstanding 
requests for each path. MPIO will route 
proportionately more requests over the 
path with the least number of outstand¬ 
ing requests. This configuration doesn't 
require (or benefit from) all paths having 
equal performance characteristics or every 
request being similar in complexity. In 
fact, this configuration is designed to work 
well with uneven loads. This configuration 
doesn't have explicit failover paths defined, 
either. If a path is unavailable, it's simply 
removed from consideration. 

Weighted Path. The next configuration 
available is called the Weighted Path. Each 
path is assigned a weight, and among the 
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Figure 2: Fibre Channel MPIO Round-Robin 


36 OCTOBER 2011 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 


























MPIO FOR ISCSI ■ 



Figure 3: Verifying that iSCSI Targets can be managed by MPIO 


given available paths, MPIO selects the 
path with the least weight. 

Least Blocks. The final configuration 
available is called Least Blocks. MPIO 
routes requests over the path with the least 
number of pending requests. 

Installing and Configuring MPIO 

MPIO is an optional feature in Server 2008. 
You can install it from Server Manager, or 
you can enter the following command on 
a command line: 

ocsetup Multipathlo /norestart 

When the feature is installed, a new tool 
called MPIO is added to the Administrative 
Tools folder. Also installed is an execut¬ 
able called MPclaim.exe. Although MPIO 
is easy to install, further configuration is 
highly dependent on your type of SAN and 
the equipment that it's comprised of. The 
reason for this is that although Server 2008 
R2 ships with support for what's called 
a Device-Specific Module (DSM), you'll 
most likely need to get a DSM from your 
vendor(s). DSMs can be loaded from the 
MPIO tool. Before you proceed to load 
DSMs and configure MPIO, I recommend 
that you consult documentation from your 
SAN equipment manufacturer, because it's 
easy to make mistakes that can result in 
corrupt or lost data. 

I recommend using MPIO with iSCSI, 
because MPIO is supported natively in 
Server 2008 R2 and doesn't require you 
to load a custom DSM. In addition, iSCSI 
is becoming the SAN of choice for many 
enterprises because of its flexibility and low 
cost of entry. 


MPIO and iSCSI 

Before you can use MPIO with iSCSI, you 
need to discover existing multi-paths to 
iSCSI Targets. This can be done by launch¬ 
ing the MPIO tool, selecting the Discover 
Multi-Paths tab, selecting the Add support 
for iSCSI devices check box, and clicking the 
Add button. Note that this will cause your 
system to restart. You can also discover 
iSCSI multi-paths from the command line, 
again with a reboot, by typing the following 
command: 

MPclaim -r -i -d 

"MSFT2005iSCSIBusType_0x9" 

Obviously, for this command to work, you 
need to have support for multiple paths 


from your iSCSI Initiator (your server) to 
your iSCSI Target(s). This is most simply 
achieved by using multiple NICs to connect 
to your iSCSI-based SAN, with IP addresses 
on unique subnets. You can verify that your 
iSCSI Targets can be managed by MPIO by 
typing the following command: 

MPclaim -s -d 

Figure 3 shows this command's output. You 
can get more information about any iSCSI 
Target managed by MPIO by specifying the 
disk number at the end of the command— 
for example, MPclaim -s -d 0. 

After you discover possible multi-paths, 
you can configure them using the iSCSI 
Initiator client, which can be launched 
from the Administrative Tools folder on the 
Start menu, or by typing iscsicpl from the 
command line. You should already have 
targets listed under the Discovered targets 
section of the iSCSI Initiator Properties 
applet. To configure MPIO for a target, 
select the target and click the Connect but¬ 
ton to launch the Connect To Target dialog 
box. In the dialog box, select the Enable 
multi-path check box and then click the 
Advanced button. In the Advanced Settings 
dialog box, configure the alternative path to 
your iSCSI Target; then, click OK to exit and 
click OK again to exit the Connect To Target 
dialog box. Repeat these steps for every 
alternative path to your iSCSI Target. 



Figure 4: Device properties for MPIO-enabled iSCSI Target 
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Figure 5: MPIO device details 



Figure 6: MPIO path details 

After you've added all your paths 
to your iSCSI Target, you can view the 
details by clicking the Discovered target 
and clicking the Devices button. Figure 4 
shows an iSCSI Target that's represented 
as Disk 1 on the server, with two paths 
to it. Clicking the MPIO button launches 
the Device Details dialog box, from which 


you can modify the load balance policy, 
as Figure 5 shows. The default policy for 
iSCSI multi-paths is Round Robin, but 
you can pick from the other configurations 
supported by MPIO, with the exception of 
Failback. As Figure 6 shows, selecting a 
Path Id and clicking the Details button will 
show you details of the path to the iSCSI 


Target, such as the IP address and port of 
the iSCSI Target Portal. The Edit button 
launches a dialog box that you can use to 
specify the path type (active or standby) 
and weight (preference) each path has for 
MPIO configurations that let you specify 
active and standby paths, as well as a 
weight or preference for each. 

Recommendations 

Every SAN configuration is unique, whether 
it's the hardware used, the nature of the 
requests made by servers connected to it, 
or both. MPIO provides a means for you 
to build high availability and, depending 
on your SAN configuration, potentially 
improve performance. Because each SAN is 
unique, it isn't possible to provide detailed 
recommendations for all situations, but 
some high-level guidelines exist. 

The first rule is that you should always 
make certain that there are multiple paths 
to your SAN from your servers, to ensure 
availability of services when components 
fail—MPIO is a means to accomplish 
this. The second recommendation is that 
wherever possible, you should use an 
MPIO configuration that takes advan¬ 
tage of the multiple paths to improve 
performance (for iSCSI MPIO, this is 
typically Round-Robin, the default). The 
third recommendation is that you should 
thoroughly test MPIO before putting pro¬ 
duction data into your SAN or running 
production applications. You can test 
MPIO by pulling out network cables from 
NICs dedicated to iSCSI connections, as 
well as by shutting down Fibre Channel 
switches and so on, to ensure that there's 
no disruption in access to data. The last 
recommendation is the most important: 
Work with your SAN vendor to get your 
vendor's recommendations for configu¬ 
ration of MPIO with Server 2008 R2 and 
the vendor's equipment. Many vendors 
provide extensive documentation for free 
on their website—a simple search will 
typically find this information. ^ 
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Reply to Autoforwarded Emails 


M y company has workstations connected to two separate networks. I have extremely 
active email accounts on both, but I work on one machine—and one network—far 
more than the other. I can't be bothered to log back on to my other workstation, 
which locks after only 5 minutes of inactivity, to check email. Because I'm a pro¬ 
grammer, I created a macro to forward email messages to my preferred machine— 
which wasn't a bad idea, but I then found myself replying to my other account 
instead of to the person who originated the email! After catching some flack from people who were 
waiting for my response, I decided that I should come up with a macro to insert the correct email 
address in the To field, rather than my own. This turned out to be more of a challenge than I'd antici¬ 
pated, so I'd like to share my solution, to help you circumnavigate the gotchas that I ran into. 


Save time 
and eliminate 
switching 
back and forth 
between email 
accounts 


Intercepting Reply Mail Items 

Outlook, like all Microsoft applications, is highly event driven. The code fires in response to certain 
user actions, such as clicking a button, tabbing onto a control, or pressing keys. Other actions are the 
result of application life-cycle events, such as startup and shutdown. Finally, there are specific events 
such as adding an appointment, setting a message's importance, or receiving a new email message. 
One thing to keep in mind about event-driven applications is that where you place the code is half the 
battle. If you choose the wrong event, you'll likely encounter all sorts of nasty side effects, including 
events not firing, firing too many times, and firing at the wrong times. 

Our goal here is to capture email messages that are a reply to certain forwarded emails—in par¬ 
ticular, those that were formatted from one of our other accounts. This task seems simple, but as I 
said, events can be tricky to pin down. 

The most logical candidate is the MailItem_Reply event. What could be simpler? We want to run 
code when we hit the Reply button. Unfortunately, the Reply event only occurs in response to open 
Mailltems. Thus, if you're replying to an item that's selected in the Inbox Explorer pane but not open, 
the Reply event won't fire. 

Another logical place to check for a reply action is the Reply button itself. You can trap the Click 
event of a toolbar button as follows: 


by Rob Gravelle 


Dim WithEvents objReplyButton As Office.CommandBarButton 

Set objReplyButton = ActiveExplorer.CommandBars.FindControl (, 354) 

However, this also turns out to be the wrong place, because it runs after the Mailltem's Reply event, 
so you can't get a handle to it from there. 
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Figure 1: Outlook 2010's Developer tab 

I could go on, but let's end the sus¬ 
pense. The best place for changing 
message properties turns out to be the 
MailItem_Open event. Although it's more 
generic than what we want, there are 
ways to narrow the scope to what we're 
looking for. 

Visual Basic Editor 

All Microsoft Office applications come with 
a full-featured IDE, called Visual Basic Edi¬ 
tor, that provides an interface for accessing 
application object models through code 
so that you can call object methods, set 
object properties, and respond to object 
events. The code used to accomplish these 
goals is a specialized subset of the Visual 
Basic (VB) language, called Visual Basic for 
Applications (VBA). 

A Developer tab on the Outlook ribbon 
lets you access Visual Basic Editor and 
other developer tools. However, this tab is 
disabled by default to protect you against 
viruses and other malicious code. There¬ 
fore, you need to perform the following 
steps before you can use it: 

1. Select Outlook Options from the 
File tab to open the Outlook Options 
dialog box, and click Trust Center. 

2. Click Trust Center Settings, then 
select the Macro Settings option on the 
left. 

3. Select the macro security level that 
suits your comfort level, keeping in mind 
that this setting also pertains to other 
people's macros and not just your own. 

If you don't want to give all macros carte 
blanche, you can have Outlook display a 
prompt each time a macro is about to run. 
That way, you can decide whether or not 
you want to let the macro run. This option 
is called Notifications for all macros. 

4. Restart Outlook for the changes to 
take effect. 
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The Visual Basic button will appear on the 
far left, as Figure 1 shows. 

Accessing the Mailltem_Open 
Event 

The secret to accessing an object's event 
in Outlook is to include the WithEvents 
keyword in the object declaration. The 

The best place for 
changing message 
properties turns out 
to be the Mailltem_ 
Open event. 

following code should be placed at the 
top of the ThisOutlookSession module: 

Public WithEvents myMsg As Outlook 
.Mai litem 

After you add the object declaration, 
you can access it and its events from the 
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Object and Procedure drop-downs. Note 
in Figure 2 that my Close and Open events 
are in bold because I added those events 
to my code. To add an event, you simply 
have to select it from the list; Outlook will 
add an empty sub to the module: 

Private Sub myMsg_0pen(Cancel As 
Boolean) 

End Sub 

Binding myMsg to the Inspectors. 
Newlnspector Event 

At this point we've declared a Mailltem 
object and created an event for it, but we 
still need to set it somewhere. The place to 
do so is in the Inspectors_NewInspector 
event. The Inspectors object is actually 
a collection that contains the Inspector 
objects representing all open inspectors. 
Any time you open a window in which 
an Outlook item is displayed, that item 
is an inspector. Again, we're scattering 
our shots all over the place because an 
inspector can contain anything from a 
new appointment to a new task item. The 
good news is that we've narrowed down 
the field to items that are new. Therefore, 
opening an existing email message won't 
cause the Inspectors_NewInspector event 
to fire. 

We can get at the Inspectors events the 
same way as we did with the Mailltem. 
First, we use WithEvents to declare it, as 
follows: 

Public WithEvents myOlInspectors As 
Outlook.Inspectors 
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Private Sub myMsg_Close 
On Error Resume Next 

Set myMsg = Nothing 
End Sub 
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Figure 2: Object and Procedure drop-downs 
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Listing 1: Setting the myMsg Mailltem Object 


Private Sub my01Inspectors_NewInspector(ByVal Inspector As Inspector) 
If Inspector.Currentltem.Cl ass = olMail Then 

If Len(Inspector.Currentltem.EntrylD) = 0 Then 
Set myMsg = Inspector.Currentltem 
End If 
End If 
End Sub) 


line>. Therefore, a subject that begins with 
“RE: From" was forwarded from the other 
network. 

Finally, the sender should be yourself. 
The Mailltem.To field is the place to find 
that information: 


Listing 2: Replacing Your Email Address With That of the Original Sender(s) 


With myMsg.recipients 
.Remove 1 
.Add sender 
.Item(1).Resolve 
If Not .Item(l).Resolved Then 

'could be using "lastname, firstname" display format 
'used for known users on originating network 
If InStr(l, sender, ", ") Then 
Dim senderNamesO As String 
.Item(l).Delete 

senderNames = Split(sender, ", ", 2) 

'reverse name order and convert to 

'firstname.lastname@networkaddress format 

sender = senderNames(l) & & senderNames(0) & "@microsoft.com" 

.Add sender 
.Item(l).Resolve 
End If 

'didn't work. Leave it empty. 

If Not .Item(1).Resolved Then myMsg.To = "" 

End If 
End With 


Then we can access the newInspector() 
sub: 

Private Sub my01Inspectors_ 

NewInspector(ByVal Inspector As 
Inspector) 

End Sub 

Before we set our myMsg Mailltem, we 
have to perform a couple of checks to 
accept only the inspectors that we want. 
The first test is whether the item is in fact an 
email message. The last thing we'd want to 
do is try to set a Mailltem to another type. 
The inspector, which is passed to the sub, 
has a Currentltem property that refers to 
the item the user is currently viewing. We 
can check its Class property to determine 
whether it's a Mailltem. In fact, there's a 
constant named olMail that can be used 
for this purpose. 

Another necessary check is for the 
unique ID string that the Messaging 
API (MAPI) store provider assigns when 
an item is created in its store. Listing 1 
contains the code to perform this check. 
Therefore, the EntrylD property isn't 
set for an Outlook item until it's saved 
or sent. This will separate our replies 
from those of other people. Setting the 
Mailltem as in Listing 1 will cause its 
Open event to fire. 


The myMsg_Open Event 

The MailItem_Open event is the ideal place 
to set message values because it hasn't yet 
appeared on the screen. After that hap¬ 
pens, good luck changing its values! The 
following sections provide a step-by-step 
walkthrough of how to set the To, Subject, 

The EntrylD 
property isn't set 
for an Outlook 
item until it's either 
saved or sent. 

and Body values to match those of the 
original email. 

After you set the myMsg Mailltem 
object in the Insepctors_newInpector() 
event, every new email message will trigger 
the Mailltem's Open event, whether it's a 
reply, a forwarded message, or a brand- 
new message. 

Identifying forwarded emails. We can 
rely on the RE: prefix that Outlook adds to 
the subject to identify our replies. More¬ 
over, our forwarded email messages have a 
subject line in the following format: From 
<sendername>: FW: coriginal subject 


Private Sub myMsg_Open(Cancel As 
Boolean) 

If myMsg.subject Like "RE: From*" 
and myMsg.To Like 
"Gravelle*Robert*") Then 

End If 
End Sub 

Retrieving the original sender from 
the message subject. The subject will con¬ 
tain either the sender's display name or 
email address, depending on whether the 
sender is a member of the originating 
network. In either case, we need to parse it 
from between the “RE: From" and colon (:) 
subject text. The following code achieves 
this action: 

Dim sender As String, pos As Integer 
pos = InStr(9, myMsg. Subject, ":") - 9 
sender = Trim(Mid(myMsg.Subject, 9, 
pos)) 

Setting the To field to the original 
sender. Replacing your email address with 
the original sender's won't ensure that the 
mail server recognizes the sender. There¬ 
fore, applying the Recipient.Resolve() func¬ 
tion will help. A failure to resolve the address 
is most likely caused by the display name 
being used instead of a full email address. 
It's actually not that difficult to fix, because 
we know the originating network's host 
name. In my case, converting the display 
name (formatted as Lastname, Firstname) 
into a proper email address (formatted 
as Firstname.Lastname@hostname.com) 
requires nothing more than reversing the 
name order, inserting a period between 
them, and appending the email address. A 
second call to Resolve() will confirm that 
this action did the trick. If not, I just leave 
the To field empty. However, I've never 
encountered this condition yet. Listing 2 
contains the code to set the To field to the 
original sender. 

Setting the subject. As in all forwarded 
email messages, the original subject line 
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Listing 3: Formatting the Message Body the Same as the Original Message 


If safemsg.subject Like "RE: From*" _ 

And safemsg.To Like "Gravelle*Robert" Then 
'set the body to the original email 
Set myOlSel = Application.ActiveExplorer.Selection 
If myOlSel.Count = 1 Then 

If myOlSel.Item(1).Class = OlObjectClass.olMail Then 
Set oOriginalEmail = myOlSel.Item(l) 

Dim strParentConversationlndex As String 

strParentConversationlndex = Left(oOriginalEmail.Conversationlndex, 
Len(oOriginalEmail.Conversationlndex) - 10) 

If strParentConversationlndex <> myMsg.Conversationlndex Then _ 

Set oOriginalEmail = FindParentMessage(myMsg) 

If Not oOriginalEmail Is Nothing Then 
Select Case oOriginalEmail.BodyFormat 
Case olFormatHTML 

myMsg.HTMLBody = oOriginalEmail.HTMLBody 
Case ol Format Plain, ol FormatRichText 
myMsg.Body = oOriginalEmail.Body 
End Select 
End If 
End If 
End If 


Listing 4: Using the Conversationlndex and ConversationTopic Properties to Locate the 
Original Message 


Function FindParentMessage(msg As Outlook.Mailitem) As Outlook.Mailitem 
Dim strFind As String 
Dim strlndex As String 
Dim fid As Outlook.MAPIFolder 
Dim itms As Outlook.Items 
Dim itm As Outlook.Mailitem 

On Error Resume Next 

strlndex = Left(msg.Conversationlndex, _ 

Len(msg.Conversationlndex) - 10) 

Set fid = Application.Session.GetDefaultFolder(olFolderlnbox) 
strFind = "[ConversationTopic] = " & 

Chr(34) & msg.ConversationTopic & Chr(34) 

Set itms = fid.Items.Restrict(strFind) 

For Each itm In itms 

If itm.Conversationlndex = strlndex Then 
Set FindParentMessage = itm 
Exit For 
End If 
Next 

End Function 


begins immediately after the “FW:" prefix 
. InStr() is used to find the original subject 
line's position in the string. The text that 
follows is appended to the “RE:" reply iden¬ 
tifier; thus, “REMINDER: Network Main¬ 
tenance" would be parsed from “From 
Smith, Bob: FW: REMINDER: Network 
Maintenance," as follows: 

pos = InStr(9, subject, ":") - 9 
'start search after the "RE: From" 
pos = InStr(pos + 1, myMsg. Subject, 
"FW:") 

myMsg.Subject = Left(myMsg. Subject, 

4) & _ 

Trim(Mid(myMsg. Subject, pos + 3)) 

Setting the message body to the origi¬ 
nal text. As you know, every time you reply 
to or forward an email message, Outlook 
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appends some text to the body, such as 
your signature and the originating mes¬ 
sage's properties. Although not essential, 
it's possible to remove the extra section 

Every time you 
reply to or forward 
an email message, 
Outlook appends 
text to the body. 

from the email and revert the message 
body back to that of the original message. 
There are two ways to do this: You can 
either parse the message to remove the 
extra text, or you can replace the entire 
message body with that of the original one. 

We're in IT with You 


The latter is my preferred solution because 
different body formats can make parsing a 
nightmare. 

It's best to take care of the message body 
first, before manipulating the subject line. 
As you'll see, the code that finds the origi¬ 
nating message, called the parent, uses the 
ConversationTopic property. Changing the 
message subject alters this property. 

Finding the parent is a two-step pro¬ 
cess. First, the code checks the currently 
selected message in the active Explorer 
window. The currently selected item in 
the Explorer window is likely to be the 
parent. We can confirm this by comparing 
the Conversationlndex of our reply to the 
message. When you reply to a message, 
Outlook removes 10 characters (5 bytes) 
from the Conversationlndex. Hence, the 
parent email's Conversationlndex minus 
the last 10 characters will match the reply's 
Conversationlndex. 

To set the message body, we need to 
check the body format, because it could 
be HTML, RTF, or plain text. A Select Case 
statement, such as that in Listing 3, is used 
to set the appropriate body property. 

As I said, the currently selected message 
in the active Explorer window is likely the 
parent of the reply. However, it's also pos¬ 
sible that it isn't. For instance, if you use 
the button on the Mailltem Inspector to 
reply, you might have selected any number 
of other messages since opening the for¬ 
warded email message. (You might even be 
in another folder altogether.) Assuming that 
you're still in the same folder that the parent 
originated from, you can use the MAPI- 
Folder.Items.Restrict() function to find the 
parent. This function accepts a specially 
formatted string that contains the property 
to search and its value. The function returns 
a collection of items. The Conversation- 
Index is then checked against these items 
to locate the parent. Listing 4 contains 
the code that calls the MAPIFolder.Items 
.Restrict() function. 

Circumventing Outlook's Infamous 
Warning Dialog 

Because it's such a popular product, Out¬ 
look has long been the target of hackers. 
To help thwart the attempts of attackers, 
Microsoft implemented numerous security 
features into Outlook. I'm all for secu¬ 
rity, but I wish Outlook's security police 
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Figure 3: Security warning in Outlook 2010 



wouldn't intercept my own code. I'm not 
trying to bring down my own machine—at 
least not on purpose! 

Microsoft Office 2010, 2007, 2003, 2000, 
and 98 all include this Outlook security 
patch in SP2. When a macro tries to read 
any email properties, you'll see a warning 
dialog box such as the one in Figure 3. 
You can't do much about these annoying 
dialog boxes; even setting the security level 
to low (which I don't recommend) won't 
affect them. 

Luckily, there are a few workarounds. 
My personal favorite is to use the Outlook 


Redemption feature. Redemption is a regu¬ 
lar COM library; after it's registered on the 
system, it's accessible to any programming 
language (e.g., VB, VBA, VC++, Delphi). 
Redemption uses extended MAPI (which 
isn't affected by the security patch because 
it isn't accessible to the scripting languages) 
to duplicate the functionality blocked by the 
security patch. All Safe*Item Redemption 
objects have an Item properly that must be 
set to an Outlook item. Through the Item 
property, you can access any Mailltem 
properties and methods, both blocked and 
not blocked. For the blocked properties 


and functions, Redemption objects com¬ 
pletely bypass the Outlook object model 
and behave exactly like Outlook objects 
with no security patch applied. 

Using Redemption in the myMsg_ 
0pen() Event 

Making the MailItem.Open() event code 
work with Outlook Redemption requires 
replacing all read references to the Mail- 
Item's sender and recipients with Redemp¬ 
tion's SafeMailltem. One caveat to using 
the SafeMailltem is that you can't access 
recipient information until the message has 
been saved. Therefore, you can't retrieve 
information about a message's recipient list 
for new messages. However, this problem is 
easy to remedy: Just call the Save() method 
on the original Mailltem before assigning 
it to the Redemption SafeMailltem. This 
action adds the SafeMailltem to the Drafts 
folder. After you assign the SafeMailltem's 
Item property to the original mail message, 
you can access both the Mailltem and addi¬ 
tional Redemption properties. 

Other than the addition of a Redemption 
.SafeRecipient object to handle resolving 
the email address, the rest of the code 
is largely identical to the original Open 
event. Listing 5 contains the code to set the 
sender and subject line using Redemption. 
It doesn't contain the optional code to set 
the body. 

Grab Your Fork and Dig In 

Although replying to a forwarded email 
message isn't as simple as setting a rule, 
Outlook does provide the capability to do 
so, as long as you're willing to venture into 
the world of Outlook events and VBA code. 
Many people steer clear of this part of Out¬ 
look for fear of introducing bugs into their 
beloved email application. However, all you 
need to do is take a little time to consider the 
best event(s) in which to place your code. 
Everything after that is a piece of cake! ^ 

InstantDoc ID 140409 
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■NEW & IMPROVED 


■ NETIKUS on the iPhone ■ MSI Notebooks 

■ Nexsan NAS ■ ERPM Update 


MSI's Powerful X460 and X460DX 
Notebooks 

MSI released its X460 and X460DX 
notebooks, 14" mobile powerhouses for 
professionals on the go. Part of the X 
Series ultra-slim notebooks, both units 
are powered by Intel Core processors, 
Integrated Intel GMA HD or nVidia GeForce 
GT540M video cards, Microsoft Windows 
7, and THXTruStudio PRO. Featuring Intel 
Wireless Display (WiDi) 2.0, the X460 model 
lets users easily connect their laptops to 
any television unit using standard Wi-Fi. 

All models come with two USB 3.0 ports, 
HDMI connectivity, and 1.3-megapixel 



integrated webcam for 
easy expansion and 
networking. For more 
information, visit www 
.msimobile.com. 

Twisted Pair Gives 
Microsoft Lync Users 
Access to Mobile 
Workers 



Twisted Pair Solutions 
released WAVE Communicator for 
Microsoft Lync, an application for extend¬ 
ing the voice capabilities of Microsoft 
Lync Server 2010 to mobile workers. 

WAVE Communicator extends the reach 
of Microsoft Lync so that office-based 
workers and mobile workers using 
smartphones can simply and securely 
communicate via voice or text while shar¬ 
ing valuable information such as status 
and presence. WAVE Communicator is a 
key component of WAVE 5.2, the latest 
version of Twisted Pair's communications 
platform. Contact Twisted Pair at www 
.twistpair.com. 


Nexsan's E5000 Family of NAS 
Systems 

Nexsan announced the first two models 
of the E5000 Family of NAS systems, the 
E5110 and the E5310. Both models are 
feature-rich and use the revolutionary 
FASTier cache, which utilizes multiple SSD 
technologies that work transparently to 
boost performance for random I/O work¬ 
loads, including applications that are run 
on top of virtualized computing environ¬ 
ments such as VMware, Xen, and Hyper-V. 
The E5000 Family is the latest addition to 
Nexsan's Flexible Storage Platform. For 
more information visit www.nexsan.com 


PRODUCT 

EventSentry Comes to the iPhone 


NETIKUS.NET's EventSentry provides 
monitoring capabilities for critical 
infrastructure systems. NETIKUS.NET has 
released a new version of EventSentry 
(2.92), and it's got some cool changes 
worth pointing out to you network 
admins out there. 

The biggest 
change is the 
introduction 
of an SNMP 
daemon, which 
lets you receive 
SNMP traps 
(vl, v2, v3) with 
EventSentry 
traps. The SNMP 


trap daemon is also available in the tool's 
free edition, EventSentry Light. The SNMP 
daemon is extremely easy to set up, so any¬ 
body can configure basic SNMP monitoring 
at no cost in a matter of minutes. 

The company also released a native 
iPhone app (it hopes to introduce apps for 
other platforms soon), which gives you basic 
information about the monitored hosts from 
the iPhone. Unlike some other offerings, it's 
not just a web page but a real iPhone app 
that takes advantage of the iPhone function¬ 
ality, such as swiping. For more informa¬ 
tion about EventSentry 2.92, check out the 
company blog at www.eventlogblog.com/ 
blog/2011/06/eventsentry-iphone-app-new- 
v29.html. 



□DQQDDDDDQ 
QSQQQDDQB 
o SBBDBDD Q 


Nimbula's Cloud OS Runs 
Geographically Distributed Clouds 

Nimbula introduced Nimbula Director 
1.5, the newest release of its cloud OS that 
helps enterprises and service providers 
build powerful private, hybrid, and public 
cloud infrastructure. Nimbula Director 
abstracts the underlying technology to 
present a coherent view of a completely 
automated compute and storage cloud. 
Providing a one-stop virtual data center 
management solution, Nimbula Director 
isolates customers from the operational 
and hardware complexity associated 
with deploying a private or public cloud. 
With version 1.5, Nimbula Director is now 
capable of supporting a geographically 
distributed cloud—an industry first. For 
more information, visit nimbula.com. 

NetWrix's Security and Compliance 
Auditing Solution 

NetWrix released a new version of its 

Change Reporter Suite, a change-auditing 
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NetWrix Change Reporter Suite msum now 

Integrated auditing solution to track Who changes 
What, When, and Where in your entire IT infrastructure. 


-OR- install individual suite components from the list below 


■ 



Active Directory 

inttiH More Petal* 


E File Server 

Irwteil More Detail* 


Group Policy 

"“S 'rata " More Deta il ? 


fir' 


SQL Server 

More Detail? 


MS Exchange 

L ^ 'nstali More Deta.ts 


VMWare Environments 

Install More Details 


wwy v nstwrixcom 888-638-9749 lecDruca Support 


solution that lets you track who made what 
change—when and where—in the entire 
IT infrastructure to assist with security and 
compliance policies and regulations, such 
as SOX, HIPAA and PCI. NetWrix Change 
Reporter supports many types of managed 
systems, including Active Directory (AD), 
file servers, storage appliances (NetApp, 
EMC), Microsoft Exchange Server, SQL 
Server databases, virtual and physical 
infrastructures (VMware and Microsoft), 
SharePoint, and more. New features 
include real-time change alerting, snapshot 
reporting, and enterprise-level scalability. 
Contact NetWrix at www.netwrix.com. 

Lieberman's Enterprise Random 
Password Manager Update 

Responding to the proliferation of 
high-profile data breaches in corporate, 
financial, and government enterprises, 
Lieberman Software has updated its 

Enterprise Random Password Manager 



Enterprise 

Random Password Manager 

Maintain Unique Account Credentials tor All Systems in the NetworH 


UEBERMANSOFTWARE 


(ERPM) solution with expanded cross-plat- 
form discovery and propagation capabili¬ 
ties; enhanced multi-factor authentication 
to protect privileged logons from key log¬ 
ging, social engineering, and other attacks; 
and greater flexibility to grant authorized 
IT staff immediate access to systems for 
servicing, configuration, and repair. The 
new ERPM two-factor authentication 
supports hard tokens, soft tokens, event 
tokens, time tokens, six-digit tokens, eight¬ 
digit tokens, and token values delivered via 
SMS or email. Find additional information 
at www.liebsoft.com/erpm. 

ManageEngine Boosts On-Demand 
Applications with AD Integration 

ManageEngine recently gave a boost to its 
On-Demand applications with AD integra¬ 
tion for ServiceDesk Plus On-Demand, 
the ITIL-ready cloud-based Help desk and 
asset management solution, through the 
OASIS Security Assertion Markup Language 
(SAML). Single Sign-on enables users to 
now leverage the advantages of the single 
sign-on capability provided by Windows 
Integrated Authentication and access 
ServiceDesk Plus On-Demand with one less 
password to remember. A free 30-day trial 
of ServiceDesk Plus On-Demand is avail¬ 
able at ondemand.manageengine.com/ 
service-desk/signup.html. ^ 

ManageEngine - 

/ X * 
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Helpdesk end Asset management Software 



www.windowsitpro.com 


We're in IT with You 


Paul’s Picks 


www.winsupersite.com 



SUMMARIES of in-deptl 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 


Microsoft Touch Mouse 

PROS Multi-touch functionality for Windows 
in familiar form factor; OS X-like app switch¬ 
ing in new Instant Viewer; BlueTrack accuracy 

CONS Requires Windows; multi-touch is awk¬ 
ward on mouse surface; ergonomic concerns 

RATING: ♦♦♦OO 

RECOMMENDATION: Appearing about 
two years after Apple's very similar Magic 
Mouse, Microsoft Touch Mouse provides 
multi-touch gestures for scrolling, window 
management, and application switching, 
as well as offering Microsoft's vaunted 
BlueTrack technology. But ultimately, it 
suffers from typical ergonomic issues—it's a 
bit small—and from the same problems that 
dog Apple's Magic Mouse—mainly that it's 
easier to perform multi-touch gestures on a 
flat a screen or trackpad. 

CONTACT: Microsoft • www.microsoft.com 

DISCUSSIONS See the review "Microsoft 
Touch Mouse," http://www.winsupersite 
.com/article/windows-7/microsoft-touch- 
mouse-140081. 


Big Nerd Ranch iOS Developer 
Training 

PROS Excellent course materials and 
instructors; distraction-free and immersive 
environment 

CONS Highly technical; aimed at very 
experienced developers 

RATING: ♦♦♦♦♦ 

RECOMMENDATION: Yes, there are 
many ways to learn iOS development, 
but this is dense, complicated stuff, even 
for experienced developers, because of 
the vagaries of Objective C, the Cocoa 
Touch frameworks, and Apple's inscrutable 
developer tools. The experts at Big Nerd 
Ranch can claim a legacy that includes 
stints teaching Apple's own developers. The 
class is held in a rural Atlanta-area location, 
or you can bring Big Nerd Ranch to your 
own location. 

CONTACT: Big Nerd Ranch • bignerdranch 
.com 

DISCUSSION See the review "Achieving 
Nerdvana With Big Nerd Ranch," http://www 
.winsupersite.com/article/developer/achieving- 
nerdvana-big-nerd-ranch-140171. 
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Figure 1: vCloud Express web console 


IT professionals are faced with endless 
projects and administrative tasks, including 
provisioning test virtual machines (VMs). 
What if you could offload some test servers 
to a cloud-based provider and unleash 
developers to spin up new VMs at will? Or 
what if you need to do extensive testing 
and you have high resource demands or 
you need isolated test machines? These are 
some of the many use cases for VMware's 
vCloud Express, a cloud-based virtualization 
solution offered by both Virtacore Systems 
and Terremark. 

I purchased vCloud Express from Virta- 
core's website. I used the web-based portal 
to enter my credit card and other basic 
information to order the software. After less 
than 24 hours, my account was approved 
and logon information was emailed to me. 

After I logged on, I clicked the oversized 
Create a New Server button, which launched 
a wizard to create a VM.Two public cloud 
locations exist: Virginia (the default for new 
servers) and California; these locations are 
represented by separate tabs in the easy- 
to-navigate web console, which Figure 1 
shows. Options in the wizard include the 
vApp group (server group), server name and 
description, and which OS template to use. 
OS choices are various builds of CentOS, Red 
Hat, Ubuntu, and Windows. For my testing, 

I focused on Windows, which is available 
in 32-bit Windows Server 2008 R2 (which 
is natively 64-bit) or Windows Server 2008. 
Unfortunately, no license options exist for 
workstation client installations or older 
server versions, such as Windows Server 
2003—which limits some testing. 

After you select the OS, the next choice is 
the size of the VM, which defines the mem¬ 
ory/disk/CPU combination. All machines 
have two to eight virtual CPUs and memory 
ranges from 1GB to 16GB; disk space is fixed 
at 5GB. After I ran through the wizard, a VM 
was created in a matter of minutes. 

I powered on the new VM, then I used 
the supplied username and password 
combination to log on. However, I couldn't 
access the Internet. I checked the rudimen¬ 
tary firewall in the Virtacore web console, 
but no firewall rules existed to filter traffic. I 
contacted Virtacore and a support engineer 
quickly resolved the problem. 


To access the servers the first time on 
any Windows machine, click the Console 
button for any server. You're then prompted 
to download the VMware Remote Console 
Plug-in, a 21 MB download that's used for 
connecting to VMs. For the console to install, 
Internet Explorer (IE) cannot be running. 

After I installed the plug-in and clicked 
Console to launch the VM I wanted, the 
system launched the VMware Remote 
Console. I was impressed with the console— 
especially the mouse scrolling and keyboard 
operations; there was absolutely no mouse, 
screen, or keyboard latency in my testing. 
The robust performance made me feel like I 
was using an RDP connection to the server. 

Performance was excellent. I ran 
DCPROMO to create a domain in just a 
few minutes. However, the speed to create 
or power up VMs varied dramatically. For 
example, powering up a VM took more than 
10 minutes one day but only a few minutes 
the next day. My VMs had plenty of proces¬ 
sor capacity. The default 50GB of disk space 
for a Windows machine is adequate for 
initial provisioning, but it wasn't clear how 
to add storage space. Antivirus protection 
isn't included, so I installed ClamWin's open- 
source antivirus protection (www.clamwin 
.com), which worked fortesting purposes. 

The interface did have some quirks. 

For example, I changed the administrator 
password on a machine, but the software 
didn't update the Virtacore web console that 
displays the administrator password. Also, 


there was no way to block the display of the 
old password, which was confusing. 

Cloning server groups or copying a 
server group is a handy way to template a 
group of VMs for rapid deployment or simply 
to save a group of VMs. A cold-copy function 
exists for each VM. However, snapshotting 
isn't supported. 

Although vCloud Express is new and has 
a few configuration kinks, it delivers a fast 
VM connection, a speedy Internet connec¬ 
tion, and a representative choice of prebuilt 
VMs. This product is a solid option for IT pro¬ 
fessionals looking for creative ways to meet 
the high demands of development staff, or 
those who need access to test VMs. ^ 

InstantDoc ID 139998 

vCloud Express 

PROS: Easy setup; quick deployment; wide 
range of OS choices 

CONS: Uneven performance; no support for 
Windows Server 2003 

RATING: 

PRICE: Pay as you go, credit card only; price 
ranges from $.09 to $1.12 per hour for licensed 
Windows-based servers, depending on memory 
and processor configuration 

RECOMMENDATION: vCloud Express offers a 
rapid path to a development/test environment 
for time- or resource-strapped admins who lack 
a test environment or Windows licenses, or who 
need a completely segregated test environment. 

CONTACT: Virtacore Systems • 888-573-7837 • 
www.virtacore.com 



46 OCTOBER 2011 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 














REVIEW ■ 


vWorkspace 

Quest Software's vWorkspace uses proprie¬ 
tary agents installed on existing servers and 
virtual machines (VMs) to create a unified 
view of an organization's desktop virtualiza¬ 
tion environment. The software uses an 
enhanced version of Microsoft's Remote 
Desktop client to deliver a user environment 
with a rich media and graphics experience, 
with applications delivered seamlessly from 
any number of sources, such as Micro¬ 
soft Application Virtualization (App-V) or 
Remote Desktop Services (RDS) servers. 

This user experience is consistent across 
multiple platforms, including non-Windows 
platforms such as Linux and Apple iOS, 
and is managed from a central vWorkspace 
administration console. 

I installed the vWorkspace 7.2 MR1 
connection broker in my Hyper-V lab on 
a Windows Server 2008 R2 system, with 
SQL Server 2008 Express pre-installed. The 
SQL Server installation is typically handled 
automatically by the product installer when 
no local or remote SQL Server instance is 
available, but this process failed, requiring 
me to install SQL Server manually. 

The vWorkspace connection broker runs 
on Windows Server 2003 SP2 or later (x86 or 
x64) and requires SQL Server 2008/2005 or 
SQL Server Express 2008/2005 (x86 or x64). 

It supports Microsoft Hyper-V Server 2008 
R2; VMware ESX 4.1,4.0,3.5 U4,3.5, and 3.0; 
and Parallels Virtuozzo 4.6,4.5, and 4.0. 

Like many similar products that provide 
an open administrative framework, vWork¬ 
space takes a while to navigate and config¬ 
ure, although the Ul will be comfortable to 
anyone familiar with the Microsoft Manage¬ 
ment Console (MMC) or Microsoft System 
Center products. The admin console also 
comes with a Quick Start Wizard to quickly 
import virtual desktops, Remote Desktop 
(RD) Session Hosts, or blade PC systems. 
There's also plenty of offline documentation. 

Unfortunately, the automated provision¬ 
ing process assumes that you've already 
prepared the various host systems by install¬ 
ing the vWorkspace Connector and opening 
the relevant TCP ports in the firewall. I 
hadn't done this and therefore received 
network failure errors. After I installed the 
agent software and opened the firewall, the 
import completed successfully. vWorkspace 


supports Microsoft System Center Virtual 
Machine Manager (VMM) 2008 R2; however, 

I was running VMM 2012 beta and couldn't 
connect vWorkspace to my management 
server—although I could connect it directly 
to the underlying Hyper-V host. I wasn't 
running either VMware vSphere or Parallels 
Virtuozzo in my lab. 

Provisioning virtual desktops for VDI 
accessibility was straightforward, but the 
automated import again failed. I needed 
to manually install the management 
agent, enable Remote Desktop, and allow 
it through the firewall before vWorkspace 
could import the system for use in the 
vWorkspace environment. The vWorkspace 
system failed to push the agent to the 
workstation, despite being a member of the 
same domain and having access to domain 
administrator credentials. 

I was able to easily import users, groups, 
and computers from Active Directory (AD) 
into the vWorkspace farm in preparation for 
assigning resources to them. In the world 
of vWorkspace, a resource can be anything 
from a managed application on a Remote 
Desktop host or VDI system to a drive map¬ 
ping to a wallpaper setting. Resources are 
then assigned to individuals or groups of 
users to create a virtual desktop experience, 
abstracted away from the underlying virtu¬ 
alization technology, with the vWorkspace 
system acting as the connection broker. Cli¬ 
ents then connect to these resources using 
the vWorkspace client (an enhanced version 
of Microsoft's Remote Desktop client) or 
vWorkspace Web Access. 

I was able to create some Hyper-V work¬ 
station resources and assign them to users, 
but I ran into several problems accessing 
them, due to Network Level Authentication 
(NLA) configuration issues on the worksta¬ 
tions. Quest was able to replicate the prob¬ 
lems and assisted me via WebEx sessions to 
overcome them. I was then able to create 
and assign an RDS server and applications. 

From a standalone Windows 7 worksta¬ 
tion, I was able to access the Hyper-V work¬ 
stations, terminal server, and applications 


from both the local vWorkspace AppPortal 
application and the vWorkspace web 
interface. The client experience was quick 
and intuitive. Quest enhancements such 
as Adobe Flash redirection and support 
for Microsoft RemoteFX worked well and 
produced a much slicker client experience 
than is normally possible within a standard 
RDS environment. 

vWorkspace's configuration is a little 
too manual, and the available wizards 
often aren't very helpful, especially when 
something goes wrong. It's also something 
of an all-or-nothing approach, with locally 
installed hooks into every system, which 
makes ongoing maintenance overhead 
difficult. However, vWorkspace delivers an 
enhanced client experience that's nearly 
impossible to achieve if you try to deliver 
your entire desktop virtualization solution 
within the same vendor stack. vWorkspace 
supports a wide variety of platforms and 
provides improvements in application deliv¬ 
ery and client-side multimedia performance. 
In addition, vWorkspace is well-positioned 
to enhance your existing virtualization 
investments rather than as a competitive 
replacement. Finally, the product unifies 
otherwise disparate vendor technology, 
making it a genuine value-add. ^ 
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vWorkspace 

PROS: Unifies a wide range of vendor technolo¬ 
gies; high-quality vendor support 

CONS: Significant manual configuration of hosts 
and virtual desktops; unhelpful errors 

RATING: 

PRICE: $219 per user, with 12 months of main¬ 
tenance and 24 x 7 Business Critical Support; 
government/education pricing also available 

RECOMMENDATION: I recommend vWork¬ 
space to any company looking to maximize ROI 
on existing desktop virtualization technologies 
and deliver an improved and more productive 
user experience. 

CONTACT: Quest Software • 949-754-8000 • 
www.quest.com 


James Bannan | james@bannan.com.au 
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Dell KACE K2000 


The Dell KACE K2000 is a client OS deploy¬ 
ment appliance that supports both Mac OS 
and Windows OS images. The K2000 comes 
as a 1U rack-mounted server. You can also 
deploy the K2000 as a virtual machine (VM) 
in a VMware environment. Because it runs a 
version of the BSD UNIX OS, the K2000 isn't 
supported on Microsoft's Hyper-V platform. 

The K2000 uses a file-based imaging 
technology known as K-imaging. One ben¬ 
efit of K-imaging is that when you capture a 
new image, only data that hasn't previously 
been captured is transmitted to and stored 
on the unit. This technology minimizes the 
amount of time subsequent OS image cap¬ 
tures take, as well as reduces the amount of 
space you need to store multiple OS images. 

The K2000 uses a web-based adminis¬ 
tration console, which Figure 1 shows.This 
console means you don't have to install 
software locally on the computer you use 
to manage OS deployment. The console is 
straightforward and well-designed. When 
preparing an OS deployment, you drag and 
drop tasks, such as disk partitioning and 
user state migration, into the order you want 
them completed.The K2000 console stream¬ 
lines what can be a complicated and arcane 
task in other products. 

If your organization uses only Windows 
desktops, you can use Windows Deployment 
Services and the Microsoft Deployment Tool¬ 
kit (MDT) 2010 to accomplish most of what 
the K2000 does. Where the K2000 adds value 
is that it sits on top of these tools, providing 
you with an optimized way of accomplish¬ 
ing the same tasks. For example, the User 
State Migration Toolkit (USMT) is a powerful 
command-line utility that lets you migrate 
user data from one computer to another in 
desktop upgrade or replacement scenarios. 
The drawback of the USMT is that to fully 
leverage the tool, you need to become 
conversant with some obtuse command-line 
functionality and XML file configurations. 

The K2000 insulates you from all of that, 
letting you fully leverage the power of USMT 
without having to get into the nuts and 
bolts of using the command line correctly. 
You still need these tools, but the K2000 
makes them easier to use. 

One thing I liked about the product 
was that it's relatively straightforward to 
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Figure 1: KACE administration console 


fully automate the task of performing a 
wipe and load migration from Windows XP 
to Windows 7, while retaining user data. 
Although it's certainly possible to do this 
using MDT 2010 and Microsoft System 
Center Configuration Manger (SCCM) 2007 
R3, the process is complicated and can take 
time to get right. 

The K2000 supports driver harvesting, 
allowing you to rapidly populate the device 
with all the drivers used in your organization. 
You can also configure computer inventory 
tasks, which lets you verify that a specific 
hardware configuration can be upgraded 
before the OS image is deployed. You can 
leverage the K2000's built-in DHCP server 
to support Preboot Execution Environment 
(PXE) deployments, or you can integrate the 
K2000 with your existing DHCP infrastruc¬ 
ture by configuring the appropriate DHCP 
options. 

For organizations that have mul¬ 
tiple sites, rather than deploy a full K2000 
appliance to each site, you can deploy a 
stripped-down K2000 remote site appliance, 
which is a VM in open virtualization format, 
as a way of scaling out your deployment 
infrastructure. 

The K2000 product documentation is 
available from the web console. The docu¬ 
mentation provides useful walkthroughs 
for all the tasks you can perform with the 


appliance. There are also links to the KACE 
support website, which hosts video tutorials 
and FAQs. Customers also get several hours' 
setup and deployment training from the 
vendor to ensure that they aren't thrown 
completely in the deep end when the prod¬ 
uct arrives. ^ 
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Dell KACE K2000 

PROS: Makes OS deployment tasks straight¬ 
forward, including post-installation application 
deployment; allows Mac OS deployment; simpli¬ 
fies building complex tasks, such as user state 
migration 

CONS: Difficult to justify purchasing a separate 
product for organizations running only Windows 
desktops and already licensed for Microsoft's 
System Center suite 

RATING: 

PRICE: $5,466 for 100 nodes and 1 year of sup¬ 
port and maintenance; $20,599 for 1,000 nodes 
and 1 year of support and maintenance; $40,006 
for an unlimited site and 1 year of support and 
maintenance 

RECOMMENDATION: If your organization 
wants to improve OS deployment and user 
state migration and isn't eligible for the System 
Center suite, or you need to automate Mac OS 
deployment, the KACE K2000 can make your life 
significantly easier. 

CONTACT: Dell • 877-646-8366 • www.kace.com 


Orin Thomas | orin@windowsitpro.com 
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COMPARATIVE REVIEW 



Office 365 

vs. 

Google Apps 

An end-user perspective of the leading cloud office suites 

by ZacWiggy 


A lot of the benefits of moving to the cloud are on the 
back end—such as reduced support costs, simpli¬ 
fied storage architecture, and trading up-front costs 
for long-term expenditures. However, there are 
numerous benefits to end users, and there's less of a 
tradeoff in features than I'd thought. For starters, files 
are stored in simple web interfaces instead of in obscure shared 
network drives, and collaboration is easier. Working from multiple 
machines no longer involves emailing files to yourself. Microsoft 
and Google are both giving their online office suites a lot of effort— 
and because these services are in the cloud, there's no reason the 
companies can't update their offerings constantly. 

Still, your users will have to make some sacrifices if you go with 
a cloud office suite. Traditional on-premises office suites (mainly 
Microsoft Office, but also its open-source competitors) are remark¬ 
ably advanced and have tons of features. Even though the average 
user probably won't use most of these advanced features, you're 
likely to have users who will miss certain features if you move to 
web apps. And no matter how good your online office suite tools 
are, Internet access goes down unexpectedly sometimes. Consider 
these pros and cons carefully before deciding to move ahead. 

Microsoft Office 365 and Google Docs are the two main players 
in online office suites right now. These two suites provide funda¬ 
mentally different experiences for end users. Office 365 is primarily 
meant to tie into traditional, locally installed copies of Microsoft 
Office—and that's where your users are likely to do most of their 
work. Google Docs is all about working in browsers—you can import 
and export Office files, but web apps are Google's focus. In this com¬ 
parison, I look at both suites from a user's perspective. 

Price and Licensing 

Microsoft and Google have very different philosophies in their licens¬ 
ing practices. Google is simple: Google Docs is targeted at individu¬ 
als, and it's free. You get access to all the web apps, and you can use all 
the Google products—Gmail for email, Google Talk for communica¬ 
tion, and so on. For $5 per user per month or $50 per user per year, 
you can use Google Apps, which includes Google Docs and gives you 
extra storage, support, and a service level agreement (SLA). 

Microsoft's plan structure is much more complicated. At the 
low end, Microsoft's kiosk worker plan (Plan Kl) is $4 per month. 
This plan is mostly email and a place to store files for collaboration; 


it's aimed at employees in an enterprise who won't be working on 
machines of their own. At $16 a month, Microsoft's enterprise plan 
(Plan E2) gives access to Microsoft's web apps. The company's $27 
a month plan (Plan E4) includes licenses for Microsoft Office and 
enterprise voice capability. Microsoft's structure includes numer¬ 
ous options, including plans aimed at small businesses. 

Microsoft loses on price here—the company's least expensive 
plans will work for you only if your employees have simple, specific 
needs. In contrast, Google's inexpensive offering gives your users a 
functional cloud office suite. But you can get a lot more from Office 
365 if you pay for it, and at the high end it can act as a good chunk 
of an enterprise-class infrastructure. These IT-level options are 
outside the scope of this review, but know that they're available. 

Overall Experience and File Management 

Getting started with Google Apps is simple—just go to Google's web¬ 
site. Using Office 365 requires you to install some software. You need 
a browser plug-in, and you have to install Microsoft Lync for com¬ 
munication. You can use Microsoft Outlook or Outlook Web App 
(OWA) to connect to Office 365. Be careful if you're using an existing 
Microsoft Exchange Server infrastructure, though—Lync replaced 
Microsoft Office Communicator on my machine and wouldn't con¬ 
nect to my organization's Communicator infrastructure without a 
registry hack. Outlook 2007 also refused to connect to both Office 
365 and the company's Exchange server at the same time. 

When you sign up for Office 365, you get a subdomain of 
SharePoint.com (I got zac.wiggy.sharepoint.com). Go to your site 
and click Member Login to obtain access. After you log in, you're 
presented with your recently used documents as part of your 
SharePoint Team Site. Getting to your documents is easy, but doing 
anything else to your site will probably require administrator inter¬ 
vention—as someone without Microsoft Office SharePoint Server 
experience, I found trying to change site settings difficult. 

Office 365's extra SharePoint features don't hinder users, but 
Google provides a simpler interface. With Google Docs, you just have 
the documents. Both suites make it easy to decide who has access to 
your documents and let you share them with outside users. 

Google supports most major browsers for Docs. Office 365, 
however, doesn't support Google Chrome—you can view docu¬ 
ments, but you can't use the web apps, nor can you send a docu¬ 
ment to your local copy of Office from Chrome. 
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Figure 1: Google Docs home page 


Google Apps/Google Docs 

PROS: Inexpensive; accessible from almost 
any device with a browser; advanced web 
applications 

CONS: Missing some advanced features from 
locally installed applications; flawed PowerPoint 
file support 

RATING: ♦♦♦♦O 

PRICE: $5 per user per month or $50 per user 
per year 

RECOMMENDATION: If your users don't need 
advanced office suite features, Google Apps can 
provide what you need at a low price. You might 
need things Google doesn't provide, though, so 
be aware of its limitations. 

CONTACT: google.com/apps 


Web Apps 

With Office 365, you can use a locally installed 
copy of Office instead of the web apps—in 
fact, many of Office 365's subscription plans 
require you to do so. I tested Office 365 with 
Office 2007, and it worked fine. You're basi¬ 
cally working with documents as usual, but 
they're saved to Office 365 instead of your 
local machine. (For a complete list of the 
available plans and details about which plans 
include access to web apps and which require 
locally installed copies of Office, see www 
.microsoft.com/en-us/office365/plans/ 
small-business/email-calendar.aspx, www 
.microsoft.com/en-us/office365/enterprise- 
solutions/enterprise-plans.aspx, and www 
.microsoft.com/en-us/office365/education/ 
school-services.aspx.) 

Both Google Apps and Office 365 pro¬ 
vide functional word processors as web 
apps, and it's difficult to pick a winner 
between them. I prefer Google's interface, 
but it's mostly just a matter of taste. The 
Word web app's interface seems sparse 
because the ribbon interface looks odd with 
only three tabs. The only feature I regularly 
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use in a word processor that isn't available 
in the web apps is change tracking, and the 
collaboration features in both suites can 
probably substitute for most applications. 

As far as spreadsheets go, Google has an 
edge over Microsoft. You can't right-click in 
the Microsoft Excel web app, which I do fre¬ 
quently, for tasks such as resizing rows and 
hiding and unhiding them. This last func¬ 
tion is especially important—I know plenty 
of people who use Excel's hide function to 
make it easier to look at parts of a spread¬ 
sheet, and as far as I can tell, there's no way 
to use hide in the Office 365 web apps. If 
you import a document with hidden rows 
or columns created in the offline version of 
Excel, you can't change or view the hidden 
parts without going back to offline Excel. 
Google's spreadsheet app doesn't work 
exactly the same as in Excel, but I found 
it easy to transition to using it. Support 
for Excel formulas in Google spreadsheets 


We're in IT with You 


has improved dramatically in the past few 
years, with most basic Excel formulas easily 
replicated. Google spreadsheets also sup¬ 
ports more advanced spreadsheet features, 
such as pivot tables, charting, and image 
embedding. I would miss some of Word's 
features if I switched completely to Google 
Docs, but I don't think I'd miss Excel. 

Office 365 beats Google Docs hands 
down for presentations—or at least for 
viewing previously created Microsoft 
PowerPoint presentations. I tried two dif¬ 
ferent PowerPoint presentations in both 
apps: a Microsoft deck from a trade show 
and a relatively simple single slide with text 
labels. Office 365's slides looked the same 
as in the desktop version of PowerPoint 
and would've been usable for a presenta¬ 
tion. In Google's tool, however, they were a 
mess—some images were missing, in some 
places the text was completely unreadable, 
and even the simple slide had the labels 
formatted incorrectly and moved around. 
In Docs' favor, the Google web app could 
actually edit the text on all the slides, 
whereas in Microsoft's case, text sometimes 
seemed to be stuck behind images and I 
couldn't figure out a way to change it—as 
far as I could tell, there's no way to move 
things forward or backward. 

I won't go into the email or calendar 
features of the two services—you probably 
have some experience with both Outlook 
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Figure 2: Office 365 team site 
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■ OFFICE B65 VS. GOOGLE APPS 


and Gmail. For mobile support, Google 
definitely leads in my book. Google's web 
apps work very well on my Android phone, 
with mobile-specific features to make view¬ 
ing and working with documents easier. 
Office 365 wouldn't work at all on my 
phone, however—for now, Office 365 plays 
nice only with Windows Phone 7. 

Microsoft Office 365 

PROS: Tightly integrated with offline Office 
applications; advanced meeting features; big- 
business infrastructure for smaller businesses 

CONS: Relatively expensive and complex licens¬ 
ing; limited device and browser support; limited 
web apps 

RATING: 

PRICE: From $4 per user per month to $27 per 
user per month 

RECOMMENDATION: If your users need all the 
features you get from using full Office applica¬ 
tions, and if multiple device support isn't too 
important, Office 365 is a good choice. 

CONTACT: office365.com 


Use Cases 

With Office 365, Microsoft basically offers 
its server room infrastructure—Exchange 
and SharePoint—moved into the cloud. 
Users get the same experience they'd get 
with a simple, local installation of Office, 
but with some perks—collaboration and 
version tracking are easier, for example. 
Users can view files from a browser, but 
light editing or working with text docu¬ 
ments is about all you should plan on 
users doing from anything other than their 
work PCs. 

With Google, you get a lot closer to what 
I think of as “working in the cloud." There's 
no local application to install, and you can 
work from pretty much any device with 
a browser. Your users can sign in with a 
Google account and work from their work 
PCs, friends' computers, Linux machines, 
phones, or tablets. Google's web applica¬ 
tions beat Microsoft's, but you don't have 
tight integration with local applications. 

Both companies' products seem, at this 
point, like early versions, with a few kinks 


to work out. However, both are functional 
and user friendly. Neither product is bad, 
and both deliver on what they promise, as 
long as you're willing to live with their limi¬ 
tations. My recommendation depends on 
what your company needs. If your employ¬ 
ees use all the advanced features of Word, 
or if you want all the advanced meeting and 
calendar features you get with Exchange 
and Lync, Office 365 is the best choice. But 
if you don't need every feature in Office, 
you'd save big money by going with Google 
Apps and Docs—and you wouldn't have to 
worry about licenses for Office. Plus, you'd 
give your employees the option of working 
from pretty much anywhere. ^ 

InstantDoc ID 140011 


ZacWiggy 

(products@windowsitpro.com) 
is the former products editor for 
Windows IT Pro and SQL Server 
Magazine. He has more than seven 
years experience as a technology 
journalist, newspaper reporter, 
and editor. 
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BUYER’S GUIDE 


Windows Scripting 
Editors 

Improve your scripting experience by using a multi-featured 
Windows script editor 

by Anne Grubb 


T here's a lot to be said for being a do-it-yourself (DIY) 
type. In the IT pro world, the person overseeing IT 
operations often wears multiple hats (system, network, 
phone admin, Help desk) or, at the very least, has a 
limited budget for investing in new products. In such 
environments, being unafraid to roll up your sleeves 
and script your own solutions for IT task automation, monitoring, 
and deployment is a big plus. 

But even the most dedicated DIYers can benefit from using 
a state-of-the-art Windows scripting editor, instead of banging 
out code in a basic text editor such as Microsoft Notepad. The 
13 scripting editor products offered by 10 third-party vendors 
listed in the table on page 54 provide capabilities geared toward 
simplifying the coding, debugging, and maintenance of admin¬ 
istrative scripts and make creating scripts an easier, more effi¬ 
cient experience than using a plain-vanilla text editor. Note that 
the guide excludes free, open-source editors (e.g., the popular 
Notepad++). 

What's in a Windows Scripting Editor? 

What important features should you look for when evaluating a 
Windows scripting editor product? If you're performing admin¬ 
istrative scripting tasks in a Windows Server environment, you're 
likely performing them using Windows PowerShell, which is 
the de facto scripting environment for a number of Microsoft 
products. So if your scripting language of choice is PowerShell, 
you'll want to make sure that the scripting editor supports Power- 
Shell, as well as any other scripting languages (e.g., VBScript, 
favaScript) that you intend to use for scripting or even develop¬ 
ment tasks. 

Most of the editors in this buyer's guide support PowerShell, 
and many of them support VBScript and/or JavaScript, which 
are popular languages in Windows scripting. Some of the prod¬ 
ucts support other scripting languages, such as ES-Computing's 
EditPlus and Just Great Software's EditPad Pro, both of which 
support PHP, Perl, Python, Ruby, JavaScript, and VBScript 
(EditPad Pro also supports PowerShell). Noteworthy in regard 
to language support is SAPIEN Technologies' PrimalScript 2011, 
which supports more than 40 scripting and programming lan¬ 
guages. On the other end of the language-support spectrum is 


Quest Software's PowerGUI Pro, which is strictly for PowerShell 
scripting. 

There are, of course, other features to consider besides what 
languages an editor supports. Color-coded syntax is, by now, a 
standard feature and is found in all the scripting editors included 
in this buyer's guide. Debugging support and autocompletion 
(i.e., the editor completes the command or phrase after the user 
types the first few characters) are also standard in most of the 
editors listed. Another feature to consider in a scripting editor is 
whether the product lets you set breakpoints—a useful capability 
for debugging. 

File-comparison and source-control support are two addi¬ 
tional features that might be important to you, especially if 
you're working on a multi-person IT team or in a development 
environment in which multiple versions of files are likely to exist 
if scripts or other programs are written and maintained by vari¬ 
ous people. File comparison, as its name implies, compares files 
and then reports the differences (e.g., dates, folder structure, text 
changes). Source control, or version control, manages multiple- 
user changes to a program, file, or document to avoid conflicting 
changes. 

Beyond Editors 

Two products that also deserve mention aren't strictly code¬ 
editing tools but can be considered as alternatives to traditional 
scripting editors. The first product, Quest Software's PowerGUI 
Pro, provides many basic editing features, but the product's pri¬ 
mary purpose is to provide a graphical PowerShell administrative 
console—that is, a means to help IT administrators avoid writing 
PowerShell code. PowerGUI Pro is included in the buyer's guide 
list. 

The other product, ScriptLogic's Desktop Authority (Script- 
Logic is part of Quest Software), provides a scripting alternative 
by automating IT desktop administrative tasks (e.g., password 
management, software and update deployment) without the use 
of logon scripts. (ScriptLogic declined to be included in the buyer's 
guide.) 

Finally, a product submitted for inclusion in the buyer's 
guide, Alexey Martseniulc's PowerShell SE, is in beta and 
therefore isn't listed in the guide, which includes only released 
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WINDOWS SCRIPTING EDITORS 


Company 

Product 

Price 

Platforms Supported 

Hardware Requirements 

Scripting Languages 

Supported 

Debugging? 

Adersoft 

33 140 261 741 
www.adersoft 
.com 

VbsEdit 

$59 

Windows XP or later; 
Windows Server 2003 
and later 

N/A 

VBScript 

Y 


HtaEdit 

Ships with 
VbsEdit 

XP or later; Server 2003 
and later 

N/A 

VBScript/JavaScript 

Y 

ES-Computing 

www.editplus.com 

EditPlus 

$35 

Windows 7/Vista/XP; 

Server 2003 

1 GHz or higher processor, 1GB 
of RAM 

PHP, Perl, Python, Ruby, JavaScript, 
VBScript 

N 

FastTrack Software 

www.fasttrack 

script.com 

FastTrack 
Scripting Host 

$450 

Windows 7/Vista/ 
XP/2000/NT4; Windows 
Server 2008/2003 and 
Windows 2000 Server 

400MHz, 256MB RAM, 50MB 
free disk space 

Properietary language 

Y 

Idera 

713-523-4433 

www.idera.com 

Idera 

PowerShell 

Plus 

$199 per user 

Windows 7 (x86/x64), 

Vista (x86/x64), XP SP3 
and later (x86/x64); Server 
2008, Server 2003 SP2 
and later (x86/x64) 

N/A 

PowerShell scripts and modules, 

XML, HTML, C#, VB.NET, VBScript, 
batch files, plain text and snippets 

Y 

IDM Computer 
Solutions 

513-892-4915 

www.ultraedit 

.com 

UltraEdit 

$59.95 

XP and later; Linux; Mac 

XP or later system 

Any (general text editor) 

N 


UEStudio 

$79.95 

XP and later 

XP or later system 

Any (general text editor) 

Only with WinDbg 

iTripoli 

866-263-0774 

www.itripoli.com 

Admin Script 
Editor 

$99/$199/$299 

editions 

XP and later 

8MB RAM, 200MB free disk 
space 

PowerShell, VBScript, KiXtart, 

Autolt, Batch 

Y 

Just Great 

Software 

www.just-great- 

software.com 

EditPad Pro 

$49.95 for 

1 user 

Windows 7/Vista/XP/2000 

N/A 

JavaScript, VBScript, Perl, PHP, 
PowerShell, Python, Ruby 

N 

Quest Software 

949-754-8000 

www.quest.com 

PowerGUI Pro 

$199 per seat, 
perpetual 
license; all 
prices include 
license fees 
and standard 
first-year 
maintenance 

PowerGUI Pro: Windows 

7, Vista SP1, XP Pro SP3; 
Server 2008/2008 R2, 

Server 2003 SP2/R2 SP2 

MobileShell: Computer 
or iPad; iPhone 4/3Gs/3G 
and other mobile devices; 
BlackBerry OS 6.0 and 5.0; 
Android OS 2.2 and 2.1; 
Windows Phone 7 

PowerGUI Pro: CPU: 1GHz 32-bit 
or 64-bit; memory: 1 GB; disk 
space: about 70MB for the setup 
and extra disk space for user 
profiles and PowerPacks not 
included in setup 

MobileShell: Supported 
platforms: Intel x86, AMD64, or 
Intel 64 (EM64T); memory: 1 GB 
of RAM for server and an extra 

100MB of RAM per user session; 
disk space: 75MB 

PowerShell 

Y 

SAPIEN 

Technologies 

707-252-8700 

www.sapien.com 

PrimalScript 

2011 

$299 

Windows 7 (any edition) 

32- and 64-bit versions, 

XP SP3; Server 2008/2003 

120MB free disk space, 1 GB 
of RAM, processor capable of 
running XP 

PowerShell, VBScript, JavaScript, 
ActionScript, System Policy Editor, 
Flex, Autolt, ASP, ASP.NET, AWK, C, 
C++, CH, CSS, IDM, CFML, Batch, 

C#, Flash, HTML, HTA, Install Script, 
Registry Files, INI Files, Java, JScript, 
JSP, KickStart, LotusScript, LUA, Pas¬ 
cal, Perl, BASH, PHP, Python, REBOL, 
Rexx, Ruby, SQL, TLC, VB.NET, 
WinBatch, XML 

Yes for PowerShell, 
VBScript, and 

JavaScript 


PrimalForms 

2011 

$299 

Windows 7/Vista/XP SP3; 
Server 2008/2003 

120MB free disk space, 1 GB 
of RAM, processor capable of 
running XP 

PowerShell 

Yes with watch, call 
stack, variables, and 
separate PowerShell 

Debug Console 


ScriptCode.com ExeScript 

866-708-0900 Editor 

www.scriptcode 
.com 


From $99.95 Windows 7/Vista/XP; 

Server 2008/2003 


Approximately 20MB of free 
disk space; processor capable of 
running Windows 2000 


Powers hell, VBScript, JScript, 
windows command shell (.bat and 
.cmd), WSF, WSH, HTA, Object Rexx, 
PerlScript, Python 


Y 


products. However, the tool is worth a 
mention because it's somewhat different 
from other PowerShell editors, in that it's 
based on the built-in Windows PowerShell 
Integrated Scripting Environment (ISE) 
and is essentially a customized ISE. 


A Spectrum of Prices and Capabilities 

As you'll find in the buyer's guide, script¬ 
ing editor offerings fall within a spectrum 
comprising at one end lightweight products 
with a few enhanced editing capabilities, 
such as Just Great Sofware's EditPad Pro, 


Adersoft's VbsEdit/HtaEdit companion prod¬ 
ucts, and IDM Computer Solutions' UltraEdit 
and UEStudio, to the mid-range Idera Power- 
Shell Plus, iTripoli's Admin Script Editor, and 
ScriptCode.com's ExeScript Editor, to higher- 
end products such as SAPIEN Technologies' 
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WINDOWS SCRIPTING EDITORS • 



Set Break¬ 
points? 

Auto¬ 

completion 

Features? 

Color-Coded 

Syntax? 

File 

Comparison? 

Source-Control 

Support? 

Other Editor Features 


Y 

Y 

Y 

N 

N 

Code snippets, samples, object browser, can convert script into 
executable 


Y 

Y 

Y 

N 

N 

Code snippets, samples, object browser, can convert HTAs into 
executable 


N 

Y 

Y 

N 

Y 

FTP and SFTP, code folding, integrated web browser 


Y 

Y 

Y 

N 

N 

Context help, script save validation, auto encryption 


Y 

Y 

Y 

N 

In version 4.1 

Integrated library management, community script search/publish, 
sample scripts, code snippets, variables watch list, error list, code signing, 
code folding, bookmarks, scripting tutorials 


N/A 

Y 

Y 

Y 

Yes (via user tool) 

See www.ultraedit.com/products/ultraedit/ultraedit_features.html 


Y 

Y 

Y 

Y 

Yes (integrated sup¬ 
port and user tool) 

See www.ultraedit.com/products/uestudio/uestudio_features.html 


Y 

Y 

Y 

Y 

N 

Integrated form designer, drag-and-drop script builder, database code 
builder, ADSI code builder, WMI code builder, XML code builder, script 
packager, and more (see www.adminscripteditor.com/features/index 
.asp) 


N 

N 

Y 

Y 

N 

Support for other scripting languages can be added by the user to the 
same level as the languages for which EditPad Pro has built-in support, 
by creating syntax coloring and file navigation schemes based on 
regular expressions 


Y 

Y 

Y 

N 

Works with various 
version-control sys¬ 
tems (Microsoft Visual 
SourceSafe, Microsoft 
Team Foundation 

Server, Subversion 
with the 

TortoiseSVNSCC 

provider) 

Syntax highlighting, IntelliSense, code snippets, block indent, block 
comment, bookmarks, AutoRecover, code folding, viewing definition of 
functions, and others 


Y 

Y 

Y 

Yes, through 
included 
PrimalMerge 
application 

Y 

Multi-platform support, 64-bit PowerShell debugger, 64-bit VBScript/ 
JScript debugger, dynamic Help window, platform-sensitive PowerShell 
PrimalSense, standard XML snippet format, multiple embedded shells 
(e.g., PowerShell, Cmd, Bash), debugger meta comments, elevated script 
debugging, visual change tracking, SAPIEN Document Explorer, and 
others 


Y 

Y 

Yes, with 
automatic syntax 
checking 

Yes, through 
included 
PrimalMerge 
application 

Y 

Forms designer, 32-bit and 64-bit PowerShell consoles, supports 32- and 
64-bit PowerShell, Script Packager with encryption, elevated privileges, 
manifests and version info, separate debug console, VS-compatible code 
snippets, integrated PowerShell Help, WMI browser, PowerShell browser, 
.NET browser, multi-form project creation, form templates, and others 


Y Y Y N N Fully integrated script development environment, full Unicode support, 

powerful script debugger, script protection, context-sensitive reference, 
built-in object browser, numerous samples 


PrimalScript and FastTrack Software's Fast- 
Track Scripting Host, which offer a fuller 
complement of editing capabilities plus other 
features. If you're a one-person IT organiza¬ 
tion on a tight budget, any of the lower-priced 
products will probably serve your needs just 


fine. But if you're working in a larger IT envi¬ 
ronment creating and managing hundreds 
of management scripts, the higher-end, full- 
featured scripting editor solutions ought to 
be within your purview. ^ 
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■ Social Networking ■ Mobile ■ System Center Orchestrator 


INSIGHTS FROM THE INDUSTRY 


6 Reasons Why Google+ Will Succeed 


Google+ has been available for several 
months, and I've spent some time playing 
with the service. After fiddling with circles, 
sparks, and huddles, I've come down on 
the side of those who think Google+ is here 
to stay, and that it brings some new and 
innovative features to the table. Yet while 
Google+ competes with existing social 
media platforms on some level, I'd argue 
that Google's ambitions for Google+ go far 
beyond simply competing with Facebook. 

1. It's Not Facebook 

Some bloggers and pundits have already 
dismissed Google+ as a poor clone of 
Facebook. While Google+ does have some 
features that are comparable to Facebook, 
it isn't fair to dismiss it as a feature-for- 
feature clone. Granted, Google+ can't match 
Facebook's impressive 750 million user base, 
and I doubt it will ever usurp Facebook as 
the social media platform of choice for post¬ 
ing photos of Hummel figurine collections, 
reports of embarrassing office parties, or 
serving as the online soapbox of choice we 
all use to tell our own airbrushed versions of 
reality. (Those of you who have never used 
Facebook to post pictures of your kids, brag 
about a recent vacation, or subtly tried to let 
everyone know how great of a person you 
are can be excused. Still here? I thought so.) 

2. Social Is the New Search 

Part of that broader ambition for Google+ 
is improving Google search, which has suf¬ 
fered an increasing amount of criticism over 
the past 12 months concerning deteriorat¬ 
ing search result quality. Google is continu¬ 
ally updating its search algorithm to provide 
better search results, and part of that 
improvement includes the addition of social 
media factors. More people than ever are 
using social media to select and distribute 
online content to their friends, and Google+ 
(and the new Google +1 feature) are two 


of Google's attempts to bake more social 
media factors into search and determine the 
"social value" of individual websites. 

3. Google+ Everywhere 

While Google may have been late to 
embrace social media, the Google+ strategy 
intends to leverage all of the company's 
strengths in a way that previous efforts 
haven't. I believe Google intends to embed 
Google+ support across its entire prod¬ 
uct family, from Google search to Gmail, 
YouTube, and beyond. In this sense, using 
Google+ isn't analogous to adopting yet 
another social media platform, as Google 
is simply adding Google+ functionality to 
services we're already using. Capitalizing 
on your strengths is always a valid business 
strategy, one that Apple and Microsoft have 
been especially effective at employing. 

4. Consumerization Is Driving the IT 
Agenda 

The adoption and use of computing devices 
and services intended initially for consumer 
use in the enterprise is increasing, and 
Google is one of the companies leading the 
charge. Microsoft has been forced to react 
to this change, with the recent unveiling of 
Office 365 and the long-overdue move to 
Windows Phone 7 being responses to the 
success of consumer-focused cloud services 
and mobile devices, respectively. Google is 
embracing and driving this trend perhaps 
more than any other vendor, with Gmail and 
Google Apps for Business and Education 
in the cloud space, and Google Android in 
the smartphone market. Amazon may chal¬ 
lenge Google in the cloud arena, and Apple 
is a strong competitor in the mobile space. 

Google has emerged as a driving force in 
the consumerization of IT, and Google+ has 
the potential to have more of an impact in 
the enterprise than Facebook. Consider this: 
Millions of business users are already using 


Google Apps under the radar of corporate IT 
to share and collaborate on documents and 
spreadsheets in the cloud. Why wouldn't 
they consider using Google+ to collabo¬ 
rate and exchange information even more 
closely, especially when Google+ is available 
for free with a standard Google account? 

The advent and adoption of Google+ in 
the enterprise may make things difficult 
for pure-play social enterprise vendors like 
Yammer very quickly. 

5. Business Value Trumps Novelty 

Every business on the planet has a vested 
interest in doing well in Internet search 
rankings, and Google has made it very clear 
that Google+ and the Google +1 feature 
will have an impact on search. Perform¬ 
ing poorly in Google search can result in 
millions of dollars in lost revenue for some 
companies, so the pressure on businesses 
to embrace this trend will be overwhelm¬ 
ing. Companies are already bolstering their 
social efforts on Twitter, Facebook, Linkedln, 
and other emerging social media platforms 
to help boost their search results, and that 
trend will undoubtedly continue. 

6. Unique Features 

Google has clearly done its homework with 
the features offered in Google+, with at 
least two of them—circles and huddle— 
being singled out most often for praise by 
early adopters. Circles is a much easier and 
more effectively implemented method of 
managing your online relationships with 
different groups of people, and huddle is a 
group video and text messaging feature. 

Have you taken the plunge into Google+ 
yet? Let us know what you think of 
Google's latest product offering by starting 
up a discussion on Twitter (@jeffjames3). 

—Jeff James 
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■ INDUSTRY BYTES 


Smartphone App Addiction: It Could Be a Good Thing 


MTV Networks, along with Latitude 
Research, recently released a new study 
about smartphone app usage. (To learn 
more about the study, visit bit.ly/isGn3B.) 
The research involved a survey of more 
than 1,300 people who reported using 
apps daily, as well as in-depth interviews 
with app consumers. The key findings of 
this research fall into two areas. The first 
area has to do with how our app addiction 
is changing our daily lives—and, at least in 
the way they've presented their findings, 
changing them for the better. 

The study found that 83 percent of 
respondents reported being addicted 
to apps. However, this app addiction is 
presented as having a positive effect on 
people's lives in three distinct ways. In a 
personal focus, "apps allow intense person¬ 
alization and hyper-focus, filling our idle 
moments with 'me time'on-demand." Apps 
are also described as making everyday 


life better by improving productivity, and 
thereby creating free time and "opportuni¬ 
ties for positive discovery." Finally, apps pro¬ 
vide exposure to new things—whatever 
that might mean in this context. 

The second key finding describes a 
typical four-stage app life cycle: 

1. Discovery—The study points out 
that most app discoveries are a result of 
recommendations, which include personal 
recommendations from someone you 
know and user reviews in the app stores— 
so, if you write such reviews, be honest 
and write well; proofreading is so easy yet 
important! 

2. Adoption—The adoption stage is 
when you make the decision to download 
an app. For paid apps, the price was a large 
determining factor in whether users chose 
to download it; having a free or preview 
version available made the decision some¬ 
what easier. The decision about whether to 


download a free app is governed largely by 
user and personal recommendations. 

3. Trial—After you've downloaded that 
new app, you've got to test it out and see 

if it lives up to expectations. However, a 
significant portion of downloads appear to 
be deleted within 3 weeks. Of those apps 
that are kept, many users report check¬ 
ing that app at least once a day. In certain 
categories (gaming, entertainment), those 
apps are being opened several times a day. 
Yeah, it's an addiction. 

4. Abandonment or Long-Term 
Usage—The final stage: Even an app that 
passes the trial stage might be abandoned 
after its usefulness has passed. However, 
apps that continue to provide new content 
or new experiences are likely to stay in 
regular use. Also, users want apps to be fun 
and entertaining. 

— B. K. Winstead 
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INDUSTRY BYTES 


Leverage SCSM to Allow End Users to Trigger 
Orchestrator Runbooks 


While you can think of Microsoft System 
Center Orchestrator as the glue that binds 
the System Center suite together, Microsoft 
System Center Service Manager (SCSM) 
increasingly seems to be the front end 
that makes it straightforward enough that 
anyone can initiate Orchestrator runbooks. 
SCSM can do some very interesting things, 
primarily because it's designed to fully inte¬ 
grate with other products in the System 
Center suite. 

For those not up-to-date on 
Orchestrator nomenclature, a runbook is a 
set of automated tasks that administrators 
can put together. It's sort of like writ¬ 
ing a script, but instead of doing it all in 
PowerShell, a drag-and-drop interface links 
specific tasks together. When you build a 
runbook, you draw tasks together from 
an Orchestrator IP. An IP is a collection of 


product-specific tasks. Depending on the 
IP, a task might be to create a new VM from 
a template, recover a SQL Server database, 
or get Data Protection Manager (DPM) to 
protect a specific data source. 

Although you can use runbooks to 
heavily automate processes, in some situ¬ 
ations you need to pass information to a 
runbook for it to do anything. Examples 
include the details of the virtual machine 
(VM) template that you want to use to 
provision a new VM using Microsoft System 
Center Virtual Machine Manager (VMM), 
or the details of the database that you 
want to recover using DPM. By hooking 
SCSM into Orchestrator, you can create 
forms in SCSM that let data pass directly to 
Orchestrator. 

For example, you could create a 
runbook in Orchestrator that allows for 


the recovery of a SQL Server database by 
leveraging DPM. You can then configure 
SCSM so a portal page is available that lets 
users perform database recovery. By linking 
SCSM to Orchestrator, you can query the 
DPM server to populate a drop-down list 
of available recovery points, allowing the 
portal user to specify which recovery point 
he or she wants to recover from rather than 
having to request a recover operation be 
performed by a DBA or DPM administrator. 

Leveraging SCSM, Orchestrator, and 
DPM, you can get all the back-end stuff 
working so that from the perspective of a 
database user, database recovery becomes 
as simple as recovering a file from a folder 
using the Previous Versions of Files func¬ 
tionality. ^ 

—Orin Thomas 
InstantDoc ID 140059 
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homepage (www.linkedin.com), select the Search 
Groups option from the pull-down menu, and use 
"Windows IT Pro" as your search term. 

Face book: We've created a page on Face- 
book for Windows IT Pro, which you can access 
at: http://tinyurl.com/d5bquf.Visit our Facebook 
page to read the latest reader comments, see links 
to our latest web content, browse our classic cover 
gallery, and participate in our Facebook discus¬ 
sion board. 
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www.twitter.com/windowsitpro. 
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Ctrl+Al t+Del 

by Jason Bovberg 


"Send your funny screenshots, oddball product 
news, and hilarious end-user stories to rumors@ 
windowsitpro.com. If we use your submission, 
you'll receive a Windows IT Pro Rubik's Cube." 







Last month in this space, 
we shared our favorite prod¬ 
uct of the year, a set of coffee 
mugs immortalizing every¬ 
body's favorite three keys on 
the keyboard. We thought 
we'd take a look around the 
Interwebs and see what other 
kinds of Ctrl+Alt+Delproducts 
have been bought and sold in 
the wild. And we found a number of fun Ctrl+Alt+Del- 
themed things, from candy to rings to framed art to coast¬ 
ers to pillows to switch plates to tee-shirts. 

It's been over 35 years since David Bradley, an IBM 
engineer, invented the command. Little-known fact: 
Bradley's work required him to frequently power down 
and restart his computer, so he created the shortcut to 
save time. He never intended to make the combination 
public, but IBM urged him to do so because it was so 
useful. Later, Bill Gates included Ctrl+Alt+Del as part 
of the logon procedure. Bradley has said, "I may have 
invented Ctrl+Alt+Del, but Bill Gates made it famous." 
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Ontolica fast management 
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Want the benefit of 
FAST for Sharepoint 

... without the headache? 


FAST for Sharepoint is a powerful search solution, but difficult 
to operate. Ontolica FAST Management makes it easy. 

SurfRay Proudly Announces Ontolica FAST Management 

The Ontolica FAST Management solution is the world's first toolset to make FAST man¬ 
agement simple. It wilt revolutionize how you leverage the power of FAST to achieve 
your business objectives, 

Ontolica FAST Management gives you an intuitive Ul directly in the Sharepoint Admin¬ 
istration interface. Forget XML configuration files, manual file deployments, complex 
PowerSheli configuration, and management scripts. Unlock the power of FAST now! 

f - 

Ontolica FAST Management features: 


J Sim pie wo rkflow-o r Ee nted ma nagem e nt 
interface directly in the Sharepoint admin Ul 

/ Create configuration snapshots as backups or 
manage deployment templates 

</ Manage any number of pipeline extensions 
including execution order 

/ Rapidly create and manage multiple relevance 
profiles including static and dynamic parameters 


/ Build, test, and deploy JDBC connections 
quickly and effectively 

/ Create, modify, and manage FAST Web- 
crawler configurations 

/ Simple, intuitive administration pages with 
user-friendly help including property lookup 

</ No need for PowerSheli, XML editing, # 
or manual file deployments * 


Get a 
demo 


Mset us at booth #239 
a t the Microsoft Sharepoint 
Conference 2011, in 

Anaheim, and see 
Ontolica FAST 
Management five 


Ontolica fast management 
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More information at: www.surfray.com/fast 
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Governance 
Dan Holme dives into 
governance, the cornerstone 
to a successful SharePoint 
implementation—sharing 4 key 
steps in creating a governance 
plan. 



Using Custom Actions 
to Empower SharePoint 
Designer 2010 Workflows 
Andrew Connell shows you how 
to address SPD 2010 limitations 
with the help of Visual Studio. 
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Find out how 3 key lessons 
learned the hard way helped 
Todd O. Klindt finally "get" 
Windows PowerShell. 
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facing websites on SharePoint 
2010—among them, these 3. 
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From SLAs to custom code, admins and devs need to 
understand their differing agendas, says Randy Williams. 
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15 SharePoint 2010 Branding Tips 

Celina Baginski shows you insider tricks for smarter 
SharePoint design. 

SharePoint 2010 Backup and Recovery 

Ron Charity walks you through how to create a SharePoint 
backup and recovery plan to help minimize SharePoint 
downtime and data loss. 


Products and Reviews 


Buyer's Guide: SharePoint Document Management 
w w Solutions 

Caroline Marwitz explores third-party SharePoint document 
management solutions that you can use to make SharePoint 
work best to suit your organization's needs. 



New and Enhanced 

SharePoint solutions and product news from Workshare, 
Syncsort, and LOGbinder. 


Editor's Note: 

We are pleased to be able to bring you this issue of SharePoint Pro 
as a supplement to Windows IT Pro. We hope you find the additional 
content beneficial. While this is the last print issue of SharePoint 
Pro, you can continue to access the same quality news and technical 
content on our website at www.sharepointpromag.com. 
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Share Point diagnostic manager 


Turning data into knowledge 



Previously, when an outage occurred 
overnight, we wouldn’t know about it until 
the next day... Now, SharePoint diagnostic 
manager lets us know immediately when 
there is a problem and we can get It 
resolved right away. 

- Ben Adams, SharePoint Systems Administrator, 
Cooper Industries 


DO/VT WAIT UNTIL USERS START TO COMPLAIN - GET ALERTED 
THE SECOND A PERFORMANCE ISSUE ARISES! 

PRODUCT FEATURES 

> Enhanced alert details, responses, and knowledge base - drill into a 
problem to find out what is going wrong and how to fix it 

> 24x7 monitoring of multiples farms and farm servers 

> At-a-glance summary of SharePoint health 

> Alerts for page, control, and server performance 

> Page analysis to pinpoint the cause of slow pages 

> Historical data for trending and forecasting 

DOWNLOAD A FREE 14 -DAY TRIAL AT WWW.IDERA.COM/SharePointDM 
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Guest-ditorial 

By Dan Holme 
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SharePoint 2 Years Later: 
The Conversation Changes 


O ctober 2009, Las Vegas: Microsoft unveils the latest version of Share- 
Point—rebranded as SharePoint Server 2010. Significant architectural 
changes for services and authentication. Major investments in business 
intelligence (B1j and social networking. Customers wonder if SharePoint is ready 
for prime time for enterprise content management and whether BI will be easier 
than it was. Some ask, “Why would I want Facebook-like features in my enter¬ 
priser The few Microsoft Online customers ask when BPOS will be upgraded to 
SharePoint 2010. Analysts expect strong adoption of SharePoint Server 2010. 

October 2011, Anaheim: The company throws possibly the biggest (my guess, as of 
press time) SharePoint event in history—the Microsoft SharePoint Conference 2011. 
Adoption of SharePoint 2010 is overwhelming. SharePoint is worth well over $1 billion, 
and Microsoft claims sales of more than 20,000 new CALs for SharePoint per day. 

Two years later, and my, how things have changed! The conversation is no lon¬ 
ger “Is SharePoint ready for enterprise content management?” It became “Why 
does Microsoft arbitrarily limit us to support of a 200GB content database when 
we have terabytes of content we want to migrate to SharePoint from our file 
servers and [name your favorite competitive content management system]?” Well 
it wasn’t arbitrary—Microsoft had to ensure it had done enough testing to stand 
behind higher levels of support, and this year it had the resources to focus on 
that task. Now the limits are sky high, as long as performance requirements are 
met (.25 - 2 IOPS per GB stored) and architecture and tools to support SLAs has 
been considered. 
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And the conversation continues: “What about records management and compli¬ 
ance with [name your favorite regulation or policy]?” Several ISVs have stepped 
forward with solutions to fill the gaps. As enterprises realize that SharePoint has 
become, or is rapidly becoming, a mission-critical content repository, the conver¬ 
sation has changed: “How do we reduce costs of storage and provide IT assur¬ 
ance for this service, so that this content is recoverable in [name your favorite 
data corruption or disaster scenario]?” Other ISVs stepped forward with solu¬ 
tions for infrastructure management and IT assurance, including solutions that 
leverage Remote BLOB Store (RBS), which after quite a bit of drama, debate, and 
in-fighting within the community and within Microsoft itself, Microsoft has now 
firmly stood behind as a real solution—when applied and architected correctly— 
to storage management. 
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Sharon Rowlands, Chief Executive Officer 
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Nicola Allais, Chief Financial Officer 
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Along the way, enterprises extended their collaboration on SharePoint—to dis¬ 
tant and disconnected users, to customers, to partners, to vendors, and to the 
general public. Huge pain points still exist in some of these scenarios, but one 
of the many solutions is the cloud. In June 2011, Microsoft finally updated its 
online offerings to include SharePoint 2010, rebranding it as Office 365, with 
huge improvements but some painful gaps that Microsoft will be filling with 
each update and, eventually, with “Wave 15” (SharePoint vNext). 
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GuestEditorial 


The conversation is now, “Is the cloud enterprise-ready?” 
and, in the case of Office 365, the answer is highly depen¬ 
dent on your business requirements and the specific appli¬ 
cation. Exchange—probably yes. SharePoint—in limited sce¬ 
narios, maybe. Office 365 is—according to Microsoft—really 
about providing a heretofore-absent solution for SMBs. 

Wave 15? Watch out! If Microsoft succeeds in boosting 
SharePoint vNext the same way it boosted Exchange 2010 
SP1 for the cloud, we’ll be looking at a really amazing, 
enterprise-ready story for public and private cloud, and 
(most importantly) “hybrid” SharePoint. 

BI? What I see in customers is adoration for PowerPivot 
and Excel and less enthusiasm about everything else. I 
claimed that MOSS 2007’s BI features were a diving board 
into an empty pool (using a metaphor from another MVP). 
SharePoint 2010 seems to have filled the pool with water, 
but not many are swimming. Excel is where we do our real 
analysis. I bet Microsoft has noticed now. 


social features—microblogging, better communities—and 
I’ve seen customers doing very cool things with MySites, 
including moving traditional “My Documents” data to 
users’ My Sites, which instantly enables web-based, device¬ 
independent (iPad, anyone?) access to data. 

Two years ago, we were handed an envelope stuffed with 
new features that were, in some cases, half-baked (UPS war 
stories, anyone?) and in other cases were not yet relevant 
to many. Today, we’ve torn into that envelope, and we’re 
pushing it further than Microsoft really envisioned. 

I’ve observed Microsoft listening—to its customers, to ana¬ 
lysts, to partners, and to its own innovators. I’m optimistic 
that this time next year we’ll all be testing a version of 
SharePoint that not only answers many of our concerns but 
also advances us further. SS 

InstantDoc ID 140176 


And social? The conversation now is far less “Why” or 
“We’re scared of [name your favorite fear of social network¬ 
ing] ” and is far more, “We get it and we can’t get enough 
of it!” Clever ISVs have stepped in to add critical missing 


Dan Holme is an MVP in SharePoint Server and is the Chief 
SharePoint Evangelist for AvePoint. Connect with Dan and follow 
his musings on Twitter @danholme. He still has email, but that’s so 
last-decade. 
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By Randy Williams 


Feature 



I What SharePoint 
Admins Need to 
Know to Work with 
SharePoint Devs—And 
Vice Versa 


From SLAs to custom code, admins and devs have different 
agendas but a common goal 


ver the past few years, the friction that’s devel¬ 
oped between IT administrators and developers 
has diminished somewhat. But not everywhere. In 
general, the adoption by businesses of process models such 
as IT Infrastructure Library (ITIL) and Capability Maturity 
Model Integration (CMMI) has increased the maturity of 
their operations. But one thing that hasn’t improved is col¬ 
laboration between administrators and developers in the 
delivery of SharePoint. Ironic, considering SharePoint was 
designed to foster collaboration. 

Part of the reason is that SharePoint is still relatively new 
and not well understood. More significant still is that 
SharePoint isn’t typically used just out of the box—it’s 
designed to be enhanced by custom code. In this respect, 
SharePoint is also a technology platform. 

What does this mean? Let’s compare SharePoint to 
Microsoft Exchange Server for a moment. Email is ubiqui¬ 
tous, and the way that it’s used varies little from organiza¬ 
tion to organization. Although email programs have many 
important configuration options, you rarely use custom 
code to modify how the program looks or works. If you 
have Microsoft Office Outlook and Exchange Server work¬ 
ing correctly, you’re set. 

SharePoint is a different story. The way in which it’s used 
varies widely, and the out-of-the-box product sometimes 
falls short of actual business needs. Although SharePoint 


is massive, it doesn’t do everything. So we use custom 
code to enhance it by adding features such as custom Web 
Parts or custom workflow solutions. In some cases, a new 
look and feel and new business rules are used to mold 
SharePoint into something quite different from the RTM 
version. The ability to plug in custom code is what gives 
SharePoint this malleability. Have you ever wondered why 
there are so many third-party software vendors selling 
SharePoint add-ins? It’s precisely because of SharePoint’s 
design as a platform. 

Problems with Custom Code 

You might be thinking, “How does custom code create 
friction?” In many ways, actually. Did you know that the 
number-one factor behind SharePoint support issues is 
custom code? Custom code can introduce security vulner¬ 
abilities. It can cause performance problems and can desta¬ 
bilize the farm. And it can complicate troubleshooting. For 
example, when you troubleshoot a web application that’s 
throwing errors, it’s a challenge to isolate the source of the 
problem—whether it’s custom code, misconfiguration, or 
some out-of-the-box problem. Custom code can also affect 
your ability to upgrade the program. Case in point: Some 
companies continue to run SharePoint 2003 because of the 
pain and effort involved in upgrading. Custom code can 
also complicate disaster recovery procedures. Case in point: 
Replacing a crashed SharePoint web server is much more 
difficult if custom code has been introduced, especially if 
the code has been manually deployed. 
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Admins and Devs 


When business units expect a customized SharePoint expe¬ 
rience, developers do their part by building it. However, 
administrators must support the customization. And if 
the custom code introduces problems, the process creates 
friction. The solution to this dilemma—and the key to a 
successful and harmonious SharePoint deployment—is 
to recognize that both the admin and developer roles are 
essential and interdependent. There must be mutual under¬ 
standing and respect between the two. In hopes of helping. 
I’ll explain what developers must understand about admin¬ 
istrators—and vice versa. Along the way. I’ll cover several 
best practices. 

What Developers Must Understand 

The most important aspect of a SharePoint administrator’s 
role is represented by a three-letter acronym: SLA. The 
service level agreement, whether formal or informal, is a 
contract between the SharePoint operations team and the 
business. The SLA is often described as a series of metrics, 
such as uptime percentage. How do SharePoint administra¬ 
tors define success in their jobs? By helping the operations 
team meet the SLAs. The more critical the system, the more 
difficult and challenging the SLAs. If the farm goes down at 
2:00 p.m., who is the first person called? Not a devel¬ 
oper. Whose job is on the line if the farm doesn’t come 
back online within the SLA window? Not the developer. 
Unscheduled downtime for even a few minutes isn’t accept¬ 
able for many businesses. To support their fellow adminis¬ 
trators, developers must write quality code that ensures that 
the SLA isn’t compromised. 

Furthermore, developers must understand the importance 
of keeping the production farm stable. Among other best 
practices, proper error handling must be applied to all 
custom code. Without effective error handling, users are 
often greeted by the not-so-helpful error message, “An 
unexpected error has occurred.” Developers should also run 
SPDisposeCheck (see the MSDN article “SharePoint Dispose 
Checker Tool” at bit.ly/iiE3D6) on their compiled assem¬ 
blies (DLLs) to make sure that no memory leaks exist. The 
best way to make sure that your code is stable is to have 
other people review the code and perform thorough unit 
and integration testing. 

When custom code is developed, it must be packaged as 
a .wsp file to automate the deployment. A .wsp file is a 
Windows SharePoint Services (WSS) solution package. This 
step is the single most important best practice for develop¬ 
ers. Without a solution package in hand, administrators 
must manually deploy custom code and its configuration 
changes. This can take an incredible amount of work and 
bring down the farm if the code isn’t deployed correctly. 

For this task, use tools such as WSPBuilder (bit.ly/52UyC) 
or the SharePoint project templates inside Visual Studio 
2010. Both tools create solution packages automatically. 


Also, use sandboxed solutions when possible. (See 
“SharePoint 2010 Sandboxed Solutions” at www 
.sharepointpromag.com, InstantDoc ID 125632.) Sandboxed 
solutions are .wsp files that can be deployed by anyone 
who is a site collection administrator. These packages don’t 
require a farm administrator’s involvement, and this saves 
those administrators time and effort. Moreover, sandboxed 
solutions can’t destabilize a farm in the same way that 
a regular solution package can. For example, if a custom 
sandboxed Web Part throws an unhandled exception, only 
the Web Part is broken, not the whole web page. Although 
there are limits to what sandboxed solutions can do, don’t 
let this stop you from using them where they can be used. 
They are still useful and relevant for many custom code 
requirements. 

Security is obviously very important in a SharePoint envi¬ 
ronment. SharePoint often stores Personally Identifiable 
Information (PII) and may even hold trade secrets. When 
you write custom code, be sparing and cautious in how you 
use the RunWithElevatedPrivileges security method (see 
the MSDN article “SPSecurity.RunWithElevatedPrivileges 
Method” at bit.ly/cydiOv). Do not write code that requires 
the trust level of web.config to be elevated (see MSDN’s 
“Securing Web Parts in SharePoint Foundation” at bit.ly/ 
NwGJg). If a sandboxed solution isn’t possible, you’re bet¬ 
ter off deploying the assembly to the global assembly cache. 
As a developer, you must know the organization’s security 
policy very well before you write any code. If a security pol¬ 
icy doesn’t exist, help to create one, and include this policy 
with the governance or Application Lifecycle Management 
(ALM) plan. 

Developers must make only those changes that are sup¬ 
ported by Microsoft. Among other considerations, avoid 
changing out-of-the-box files in the SharePoint root direc¬ 
tory (which some refer to as the 14 Hive), and never 
change or add objects (e.g., tables, stored procedures, trig¬ 
gers) to the SharePoint content databases. (See MSDN’s 
“Support for changes to the databases that are used 
by Office server products and by Windows SharePoint 
Services” at bit.ly/dtnJ7W.) 

SharePoint developers must understand SharePoint architec¬ 
ture from a developer’s perspective. This means that you, the 
developer, must understand the SharePoint technology plat¬ 
form and how SharePoint uses SQL Server, IIS and ASP 
.NET. By understanding SharePoint’s construction, you will 
understand how it can be enhanced by using custom code. 
This takes time, just as it takes time to write quality code. But 
it also makes you a better developer. Books such as Inside 
SharePoint 2010 (at Amazon’s website at amzn.to/dQOSn5) 
and Real World SharePoint 2010 (at Wiley’s website at bit.ly/ 
e80mtk) help. Also consider classroom training to get hands- 
on, instructor-led guidance. 
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What Administrators Must Understand 

Administrators must understand a few things too. First, 
know that writing SharePoint code is very challenging. 
SharePoint’s object model (the technology platform) is 
expansive and contains tens of thousands of API calls. Parts 
of the object model aren’t intuitive. Although the docu¬ 
mentation is always improving, it still suffers from a short¬ 
age of quality explanations and examples. On top of that, 
many additional technologies are required in order to write 
SharePoint code. It’s truly an alphabet soup, ranging from 
HTML, CSS, AJAX, XSLT, and CAML to .NET, JavaScript, 
and the new client object models in SharePoint 2010. As in 
nearly all aspects of code writing, quality comes with a lot 
of experience, and most organizations struggle to find—or 
to afford—senior SharePoint developers. 

As a SharePoint administrator, you must know how to 
deploy .wsp files. Although the concept is simple, you 
should understand what these packages do and how to 
retract (uninstall) them. For more information about this 
process, see “Solutions Overview” at bit.ly/gQchTO and 
“SharePoint Powershell for Solution Deployment (WSP)” at 
bit.ly/98DHnW. 

You can’t use Central Administration, SharePoint’s admin¬ 
istrative GUI, for all administrative tasks. Therefore, you 
must become proficient in Windows PowerShell, the de 
facto command-line interface for SharePoint 2010. Because 
PowerShell lets you do some amazing things, such as mak¬ 
ing direct API calls, it gives you some of the same power 
that developers have without forcing you to use Visual 
Studio. If you’ve been holding back or just procrastinating, 
now is the time to get up to speed with PowerShell. The 
time that you invest will be paid back again and again in 
your increased productivity. 

You must know how to read the SharePoint Unified Logging 
Service (ULS) log files and how to use them to trouble¬ 
shoot problems. You can use tools such as ULSViewer (see 
MSDN’s “ULS Viewer” at bit.ly/dJu9kN) to get a real-time 
view of log files and to consolidate log files from multiple 
servers. You should know that SharePoint logs many mes¬ 
sages to the Windows Application log as well. This is espe¬ 
cially helpful because the messages in the Application log 
are less detailed than those in the ULS log, and this gives 
you a perspective of the problem from a higher level. In 
fact, when it comes to troubleshooting, administrators and 
developers need to work directly together. Troubleshooting 
the harder problems often requires different skill sets, and 
it never hurts to have another pair of eyes look over your 
work. 

SharePoint administrators must understand the SharePoint 
architecture from an administrator’s perspective. This 
means that you, the administrator, must understand the 


different server roles (web server, application server, data¬ 
base server) and how each communicates with the others 
from a network and security perspective. This knowledge 
also helps you to understand (conceptually, at least) the 
technology platform. You can gain more insight into this 
process through books such as Professional SharePoint 
2010 Administration (see Amazon’s website at amzn.to/ 
h8cu57) and my own book, SharePoint 2010 Administration 
Instant Reference (at Wiley’s website at bit.ly/hWKo7H). 

As an administrator, take a cue from developers and con¬ 
sider technical training if you have no formal training in 
SharePoint. 

Stick to the Plan 

Despite SharePoint’s complexity, you should stick to your 
organization’s Application Lifecycle Management (ALM) 
plan. According to Wikipedia, ALM “is a continuous pro¬ 
cess of managing the life of an application through gov¬ 
ernance, development and maintenance. ” Some people 
believe that because SharePoint is such a unique product 
that you can’t—or shouldn’t—follow existing processes. 

This is not true. You might have to adapt your existing 
processes to accommodate SharePoint. But considering 
SharePoint’s complexity and importance, it’s essential 
that you maintain the rigor and discipline of your current 
practices. 

If your organization doesn’t have anything that resembles 
an ALM, administrators and developers should jointly cre¬ 
ate one. As part of this process, make sure that you have 
a complete test or staging environment that mimics pro¬ 
duction as closely as is technically possible. Be diligent in 
deploying and thoroughly testing custom code before it 
goes into production. If there is any point in this process at 
which administrators and developers should be resolving 
problems together, it’s in the staging environment. Friction 
is greatest when you are troubleshooting actual production 
problems. 

Finally, both administrators and developers should be 
tapping into the ever-growing SharePoint community. 

Very likely, you will get to know and respect many other 
SharePoint developers and administrators—which, at the 
very least, makes working together over the course of your 
SharePoint career much more enjoyable. SS 
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By Dan Holme 


Feature 


Designing SharePoint 
Governance 

From requirements to governable architecture 


G overnance is the cornerstone to any successful 
SharePoint implementation. Without it, you are 
doomed to fail eventually—a lesson that many 
organizations learn the hard way. 

Because governance matters so much, there is a lot of 
information about it, starting with the TechNet SharePoint 
Server 2010 Governance Resource Center (technet.microsoft 
.com/en-us/sharepoint/ff800826.aspx). There is no short¬ 
age of governance resources, from SharePoint MVP blogs to 
SharePoint Pro magazine and beyond. 

Many of these resources focus on how to create a gover¬ 
nance framework: how to assemble the people, policies, 
and procedures and how to develop a governance plan. But 
all too often, such discussions leave out a fourth equally 
important component of governance: technology. 

You must understand the technology that you are trying to 
govern; you can’t ask it to do something that it cannot do. 
And you should use the technology to facilitate governance. 
In this first of a series of articles, I will explore the techni¬ 
cal side of governance and thereby answer several vital 
questions: 

• What does a governable SharePoint implementation 
actually look like? 

• What is the physical and logical architecture of such an 
implementation? 

• How many farms, servers, web applications, content 
databases, site collections, and sites does such an imple¬ 
mentation have? 

The initial answer to all three questions is, unfortunately, 

“It depends.” The answer depends not on SharePoint, but 
on what you are trying to achieve by using SharePoint. The 
best way to get to the answer that applies to you is to fol¬ 
low my four-step "Architecting Governance" process. By 
following this process, not only can you answer the previ¬ 
ous question, but you will have a logical, physical, and gov¬ 
ernable architecture that meets your business requirements. 

Given the limitations of space and time, this article will 
focus on the process itself, which involves four major steps. 


In future articles, I will explain how you can apply the 
process to specific scenarios, to gain prescriptive guidance 
towards successful architectures. And I will show you how 
to use the technology to automate and enforce your gover¬ 
nance policies. 

Step 1: Define Your Requirements 

As a consultant, I spend probably 80 percent of my time 
helping customers to define requirements and develop dis¬ 
cipline around requirements gathering. After all, you must 
understand the requirements for any solution before you can 
effectively design that solution. SharePoint is no different. 

The problem that I observe is that SharePoint implementa¬ 
tions involve a lot of requirements. So I find it helpful to 
categorize them, and then identify which categories are 
salient at each step in the process. I suggest that you group 
your requirements into these categories: 

• Business requirements—These are the requirements 
that really matter. They define the business purpose of 
the solution that the customer is asking you to create. 
Whenever possible, avoid polluting business require¬ 
ments with technical requirements. More often than 
not, technical requirements are artificial. When a busi¬ 
ness customer says, “I need a sub site that does x,” or 
“I need a button that does y,” that customer is casting 
themselves as a technologist—a solutions developer. 
Encourage them to take a step back and describe the 
desired result (x or y) without mentioning technology. 
Let the technical solution be developed by those who 
know the technology. 

• Technical requirements—Occasionally, technical require¬ 
ments must be considered. For example, if your mobile 
sales force is going to use their iPads to access the solu¬ 
tion that you are providing, then the ability to access 
the solution from iPads is a valid technical require¬ 
ment. Such technical requirements more often relate to 
architecture—interoperability with other solutions—or 
infrastructure than to functionality or usability. 

• Project requirements—These requirements relate to the 
creation of the solution, not to the business purpose of 
the solution. Budget and deadlines are prime examples 
of project requirements. 
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• Information-architecture requirements—Information 
architecture, in its most traditional definition, relates to 
how content is described, organized, and discovered. 

• Information-management requirements—Information- 
management requirements define how the content is 
managed over its lifecycle: how is it created, main¬ 
tained, and archived or deleted. These requirements 
relate to security, records management, auditing, and 
compliance. 

• Service-management requirements—Behind the solu¬ 
tion, the content, and the information is the service 
itself. Service-management requirements describe IT 
assurance expectations: recovery, availability, and 
performance. These requirements lead to service level 
objectives (SLOs) or service level agreements (SLAs). 

Categorizing requirements is valuable for several reasons. 
First, you can identify the dependencies between require¬ 
ments. This ability allows you to proceed through the 
requirement-gathering process in a logical manner. 

Business requirements and technical requirements must be 
defined carefully and understood clearly before you can effec¬ 
tively elicit other requirements. After you have defined the 
solution, you can identify the types of information that are 
associated with it. This exercise drives you to find the informa¬ 
tion-architecture and information-management requirements. 
Business, technical, and information-management require¬ 
ments determine the service management requirements. All 
are affected by project requirements such as budget and time¬ 
lines, and you might need to adjust project requirements to 
accommodate other categories of requirements. 

An important take-away: Discussing information manage¬ 
ment or service management requirements before you have 
clearly defined the business and technical requirements 
makes little sense. And if the process is undisciplined and 
additional business or technical requirements are introduced, 
you will need to revisit the information-architecture, informa¬ 
tion-management, and service-management requirements. 

The second reason why categorizing requirements is valu¬ 
able is that it allows you to proceed more effectively to the 
next steps in the governance process, in which you will 
focus on supporting the information-and service-manage¬ 
ment requirements. There will continue to be a two-way 
relationship with those pesky project requirements, but at 
least you can set aside business and information-architec¬ 
ture requirements, which will have generated the informa¬ 
tion- and service-management requirements. You’ll return 
to the information-architecture requirements in the last step 
of the governance process. 

After defining requirements, you can begin to design a solu¬ 
tion that meets those requirements. This phase involves the 


evaluation of options for building or buying the solution. 
You know you’re doing this part correctly when—at least 
once in a while—it’s determined that SharePoint is not the 
right solution for a particular requirement. After all, we can 
agree that SharePoint is not the silver bullet for every busi¬ 
ness need, can’t we? If your process is strong enough to 
overcome loyalty to and enthusiasm for SharePoint when 
it’s simply not suited for the job at hand, you know you 
have a good process! 

We won’t spend any more time on the evaluation of techni¬ 
cal options. Because this is SharePoint Pro magazine, we’ll 
assume that, for this particular need, SharePoint is the best 
solution, and we’ll move on to Step 2. 

Step 2: Align Management Requirements 
with Controls and Scopes 

Now we focus on determining how to architect a 
SharePoint service to support your requirements, specifi¬ 
cally those in the service- and information-management 
categories. 

First, you must identify what I will call SharePoint manage¬ 
ment controls. A management control is a configurable setting 
that has some effect on SharePoint manageability, and there¬ 
fore on SharePoint governance. Let’s take a simple example. 
One of your service-management requirements should relate 
to storage of content (i.e., how much storage the content that 
is associated with the solution will consume). The require¬ 
ment to support a specified amount of storage is implemented 
by quotas, of course. Quotas are a management control—a 
setting that you can configure to support a requirement. 

Now that you’ve located the management control that 
supports your requirement, you must identify the scope 
of that control. SharePoint farms have a physical and logi¬ 
cal architecture. The logical architecture is a hierarchy of 
farms, web applications, content databases, site collections, 
sites, lists, and libraries. Web applications have zones and 
typically consume one or more services, such as search or 
metadata. (This logical hierarchy is shown in Figure 1.) 

The physical architecture relates to the servers in the farm 
and the distribution of services across those servers. In 
other words, which servers host web sites, which host 
services such as search, and which host SharePoint 
databases? 

Management controls are typically scoped to one, and only 
one, container in the SharePoint logical or physical architec¬ 
ture. Quotas, for example, are scoped to site collections. You 
can set a quota for a site collection but not for a child site 
or an entire web application. Nor can you configure a stor¬ 
age limit for an individual user within a team site collec¬ 
tion; the out-of-box quota applies to all content in the site 
collection, regardless of who creates the content. 
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Figure 1: SharePoint's logical hierarchy 

Scope is an absolutely crucial concept because it determines 
whether you need more than one of any object in the logical 
or physical architecture. If the Human Resources (HR) and 
Engineering teams require distinct quotas (for example, 
engineers need more storage to support large CAD documents 
and images), then you have only one option. 

To support those disparate requirements, you need two 
scopes—one for HR and one for Engineering—to which you 
can apply different quotas. And that means that you must 
have two site collections. 

If every solution in your enterprise has identical informa¬ 
tion- and service-management requirements, then you 
can get by with a single farm, a single web application, 
a single content database (subject to a sizing guidance of 
4TB) and a single site collection. But you’re highly likely to 
have solutions that have different information- and service- 
management requirements, necessitating more than one of 
many or all of these scopes. 

In fact, so many management controls are scoped to site 
collections that I like to refer to site collections as the 
administrative container in the SharePoint architecture. 
Many service- and information management controls, 
including quotas, ownership (Site Collection Administrators 
membership), tenancy, user and group management, audit¬ 
ing, locks, sandbox solutions, and search settings, are 
scoped at the site-collection level. 

You also must consider the capabilities of the management 
control. What is possible, and what is not possible? 

For example, assume that you have the wild service-man¬ 
agement requirement to back up data in a large solution 
every minute. Assuming that the content is of any size, you 
simply are not going to be able to meet that requirement by 
using SharePoint backup APIs. 


Another example is sandboxed solutions. If you have a ser¬ 
vice-management requirement to isolate custom code, then 
you can configure a sandboxed solution—a management 
control that scopes to a site collection. 

After you have enabled sandboxed solutions, a site collec¬ 
tion administrator can upload solutions to the sandbox and 
activate them. There is no out-of-the-box capability to add 
a workflow whereby another, higher-level administrator can 
approve the solution before it is activated. 

A key concept here is out-of-the-box. Although SharePoint 
management controls might have certain limited scopes 
and capabilities, sometimes you can build or buy tools that 
extend those scopes and capabilities. 

So if you run into a situation in which your information- or 
service management requirements drive you towards an 
unacceptable architecture, you can choose to work around 
the limitation, build or buy code that overcomes the limita¬ 
tion, or return to the question, “Is SharePoint the right tech¬ 
nical solution to address the requirements?” 

This is the nitty-gritty part: You must determine how 
SharePoint can support your information- and service-man¬ 
agement requirements through out-of-box or extended man¬ 
ageability controls, and which logical and physical architec¬ 
ture is necessary to scope the settings that you require. (I 
will dive into numerous examples of how to succeed with 
this step—and how to fail miserably—in future articles.) 

Step 3: Align Business Requirements with 
Controls, Features, and Scopes 

After you put a set of requirements through Step 2, you typ¬ 
ically will have an architecture that defines farms, servers, 
web applications, content databases, and site collections. 
Occasionally, your architecture will dive deeper into sites, 
lists, and libraries. The resulting architecture will support 
your information- and service-management requirements. 

You can then further refine that architecture to support busi¬ 
ness requirements—specifically those functionality require¬ 
ments that are implemented as a feature, template, list, 
library, or site definition. 

For example, suppose that a business requirement can be 
supported by providing the leader of a team site with a blog. 
SharePoint implements blogs as a site definition (or tem¬ 
plate), so your logical architecture must include a site for 
the blog—typically, one that will be distinct from other col¬ 
laborative content on a team site. 

Step 3 is similar to Step 2, but you’re using a different set 
of requirements at this point, to drive the lower levels of 
your logical architecture. You did not consider business 
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requirements in Step 2, although these requirements 
informed the information- and service-management require¬ 
ments that you did consider. 

When you complete this step, you will generally find that 
you have added some child sites, lists, and libraries to the 
logical architecture that you produced in Step 2. Step 3 typi¬ 
cally does not involve modifying the farms, servers, web 
applications, content databases, or site collections in the 
architecture. 

Step 4: Overlay Information Architecture and 
Manageability 

As you can imagine, even a simple SharePoint implementa¬ 
tion is likely to have more than one site collection, web 
application, and farm. And as soon as content is distributed 
across more than one site collection, web application, or 
farm, or across more than one content database or server, 
working with SharePoint becomes more difficult. 

First, navigation becomes a challenge. When you create 
content within a single site collection—a child site, for 
example—you can add links to the parent container so that 
users can navigate easily. 

However, when you create a second site collection, no such 
navigation links are created. You must either manually 
manage navigation or build or buy a tool that manages and 
presents a navigation structure. 

Administration also becomes more difficult. If a user needs 
access to content in each of the two site collections, then 
the user must be added to each site collection individually; 
identity management is scoped at the site collection. 

If you need to pull an audit report of content, you must pull 
reports from both site collections; auditing is configured 
and reported at the site collection scope. Because site col¬ 
lections are, in my words, the administrative container of 
SharePoint, your administrative burden increases as soon as 
you have more than one. 

To address administration and management of a SharePoint 
implementation with more than one farm, web application, 
content database, or site collection, Windows PowerShell is 
your best friend. PowerShell can iterate (i.e., loop) through 
your architectural elements and can perform repetitive tasks 
quickly and easily. Several third-party tools also give you a 
single-pane-of-glass view of your SharePoint service, regard¬ 
less of how complicated its logical and physical architecture 
might be. 

When you architect a governable SharePoint implementa¬ 
tion, you will almost certainly end up with one that is 
more difficult than you’d actually prefer to manage on a 


day-to-day basis. A disconnect exists between governance 
and ease of use, and that disconnect is an unfortunate side 
effect of using a platform with limited but rich features to 
support an unlimited number of business requirements. 
Workarounds, PowerShell, and extensions to SharePoint 
become crucial. Luckily for us all, SharePoint has an 
extraordinary community of consultants, developers, project 
managers, IT pros, MVPs, and ISVs to help us succeed. 

In this article. I’ve outlined the process through which 
you can get from requirements to a governable SharePoint 
architecture. Half the story is what SharePoint can and can’t 
do, and how it was designed. The other half is what you’re 
asking SharePoint to do. There are myriad examples to 
illustrate that those two things don’t always align as neatly 
or easily as you would hope. 

I’m not saying the governance process is easy, but it is nec¬ 
essary. In an upcoming article. I’ll show you several com¬ 
mon examples of real-world scenarios and how they affect 
your logical and physical architecture. SS 
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Using Custom 
Actions to Empower 
SharePoint Designer 
2010 Workflows 

Address SPD 2010 limitations with the help of Visual Studio 


he complete workflow story was significantly improved 
in SharePoint 2010 as Microsoft invested in SharePoint 
Designer 2010 (SPD 2010) capabilities in creating cus¬ 
tom workflows with the SharePoint 2010 release. SPD 2010 
is a tool that can create powerful declarative workflows, 
but previous versions were dismissed by many because its 
workflows were tied to a specific list at design time, which 
meant there wasn't a good option for creating and deploying 
workflows with a simple copy-paste deployment between a 
development and production environment. 

SPD 2010 changed this with the ability to support reus¬ 
able (aka content type) workflows that could be created 
in one environment, saved as a sandbox solution package, 
and easily saved and deployed to another environment. 

It also added other very important improvements such as 
impersonation steps, a better workflow designer, the ability 
to import workflows authored in Visio 2010, and a signifi¬ 
cantly improved task approval process designer. 

Challenges with SPD 2010 Workflows 

However with all these improvements, a few things still 
lead people to dismiss SPD 2010 as their workflow tool. For 
instance, SPD 2010 can’t support loops or state machine 
workflows. SPD 2010’s declarative workflows are limited to 
sequential workflows that can have decision points (“IF” 
statements), but there is no looping process. 

In addition, SPD 2010 doesn’t provide low-level debugging 
or elevation of privileges. Debugging is limited to monitoring 
what inputs are provided to the workflow and how it reacts. 
Another big limitation of SPD 2010-authored workflows 
is that they can access content only within the same site 
where they’re running; they can’t access content from other 
sites, site collections or external feeds, or Web services. 


Challenges with VS 2010 Workflows 

Many customers concluded their only option was to move 
to Visual Studio (VS) 2010 for creating their workflow 
solutions. This presented other challenges, though. For 
instance, all VS 2010 workflows are code based and must 
be deployed as fully trusted farm solutions; it’s not possible 
to deploy a workflow built in VS 2010 to the sandbox. VS 
2010 workflows are usually built only by developers, not by 
power users or the business analysts who best understand 
the business process being automated by the workflow. 

Addressing SPD 2010 Limitations 

In the first few months after SharePoint 2010's release, I saw 
that many people were still in what I considered the SharePoint 
2007 mode of thinking with respect to workflow. This thought 
process usually involved ditching SPD 2010 as the workflow 
tool and building the workflow with VS 2010 when one of the 
aforementioned limitations was encountered. I find this disap¬ 
pointing because building workflows with VS 2010 leaves a 
lot on the table. You lose the ability to have declarative-only 
workflows that can be deployed to the sandbox, your develop¬ 
ers aren’t in charge of building a business process, and worst of 
all, more custom code needs to be maintained. 

This is disappointing because typically the majority of the 
workflow process can be expressed using SPD 2010, with 
only one or two small pieces that SharePoint 2010 can’t 
handle. These few pieces push people to VS 2010. But 
instead of throwing the whole workflow out, why not 
address the problem? 

One option is to have a developer create a custom action 
(otherwise known as an activity) with VS 2010 and deploy 
it to SharePoint 2010. When a user opens the site in SPD 
2010, the custom action will be available in the last of the 
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namespace CPT.Samples.SandboxedAction { 
public class UpdateWebDescriptionAction { 

public Hashtable UpdateWebPropertyBagValue(SPUserCodeWorkflowCont 
ext context) { 

using (SPSite siteCollection = new SPSite(context.CurrentWebUrl)) 

{ 

using (SPWeb site = siteCollection.OpenWeb(context. 
CurrentWebUrl)) { 

site.Description = "Updated from custom sandbox action at " + 
DateTi me.Now.ToStringO; 

} 

} 

return new HashtableO; 

} 

} 

} 

Listing 1: Code for a Custom Sandboxed Custom Action 


<E1ements xmlns="http://schemas.microsoft.com/sharepoint/"> 

<Workf1owActions> 

<Action Name="Update Site Description (sandboxed)" 

SandboxedFunction="true" 

Assembly="$SharePoint.Proj ect.AssemblyFul1Name$" 

ClassName="CPT.Samples.SandboxedAction. 

UpdateWebDescriptionAction" 

FunctionName="UpdateWebPropertyBagValue" 

UsesCurrentItem="false" 

AppliesTo="all" 

Category="CPT Actions'^ 

<RuleDesigner Sentence="Update current site description to 
current timestemp." /> 

<Parameters> 

<Parameter Name="_Context" Di rection="In" DesignerType="Hide" 
Type="Microsoft.SharePoint.Workf1owActions. 
WorkflowContext, Microsoft.SharePoint.WorkflowActions" /> 
</Parameters> 

</Action> 

</Workf1 owActions> 

</Elements> 

Listing 2: Code to Register an Action Using an Element Manifest File 


actions that can be used in the declarative workflow. These 
custom actions can be deployed either to the sandbox or as 
a fully trusted farm solution and are scoped to a particular 
site collection. 


Capabilities of Custom Actions 

A custom action is no different than the type of actions 
(aka activities) in VS 2010-based workflows. You’re simply 
wrapping up custom code in a reusable component. This 
custom component could call out to another Web service or 
feed or impersonate a more privileged user or even access 
content on other SharePoint sites or site collections. You 
can address almost every single SPD 2010 limitation with a 
custom action created in VS 2010. The two biggest excep¬ 
tions to this rule are the inability to simulate state machine 
workflows and the ability to create sophisticated loops. 
SharePoint 2010 lets developers create two different types 
of custom actions for use within declarative workflows 
authored with SPD 2010: sandboxed actions and full trust 
actions. Let’s now look at these options. 

Sample Sandbox Custom Action 

In my opinion, developers should try to create sandbox cus¬ 
tom actions before creating full trust custom actions, because 



Figure 1: View of new custom action options 


public partial class UpdateWebDescri pti onActi vity : Activity { 
public static DependencyProperty _Context Property = 
DependencyProperty.Register("_Context", typeof(WorkflowContext) , 
typeof(UpdateWebDescriptionActivity)); 

public WorkflowContext _Context { 

get { return (WorkflowContext)base.GetValue(_ContextProperty); } 

set { base.SetValue(_ContextProperty, value); } 

} 

protected override ActivityExecutionStatus Execute(ActivityExecuti 
onContext executionContext) { 

_Context.Web.Description = "Updated from custom sandbox action 
at " + DateTi me.Now.ToStringO; 
retu rn ActivityExecutionStatus.Closed; 

} 

} 

Listing 3: Code Required in a Custom Action Deployed as a 
Farm Trusted Solution 

the declarative SPD 2010-based workflows they will be used 
within can be run from the sandbox. A mixed story of having 
to tell a customer “you need to deploy this farm trust solution 
for a custom action that is used by this sandbox solution” 
doesn’t sound so good, nor does it permit the entire solution 
to be used within most hosted SharePoint deployments. 


As with other sandboxed solutions, a sandboxed custom 
action will have such limitations as the inability to issue 
Web service calls, database calls, or impersonate a user 
with elevated permissions. Listing 1 shows a custom 
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Step 1 

|llpdate current site description to current timestemp. 


Figure 2: Another view of new custom action options 


sandboxed custom action that sets the value of the cur¬ 
rent site’s description. It was built with VS 2010, using the 
Empty SharePoint Project template. After 
the action is built, register it using an 
element manifest file in the Feature that 
will make SPD2010 aware of the action. 

This file, which Listing 2 shows, contains 
information about the action as well as 
the designer to use within the SPD 2010 
interface. Build and package the project to 
create a WSP and add it to a site collec¬ 
tion’s solution gallery. After the solution 
is activated in the solution gallery, when 
users open the site in SPD2010, they will 
see the new custom action (Figure 1 and 
Figure 2). 


Sample Farm Trust Custom 
Action 

The sandboxed custom action won’t give 
you everything you need. Maybe you 
want to make a call to a custom data¬ 
base or an external Web service. These 
require creating a full blown custom 
activity in VS 2010. The code sample in 
Listing 3 shows the code required in a 
custom action deployed as a farm trusted 
solution. Just like the sandboxed custom 
action, this project requires a separate 
custom actions file to make SPD 2010 
aware of the custom action and can be 
used the same way deployed to the 
\{ SharePointRoot} \TEMPLATE\{ LCID } \ 
Workflow directory. For more details on 
creating sandboxed and full trust cus¬ 
tom actions, see Inside SharePoint 2010 
(MSPress), by Ted Pattison, Andrew 
Connell et al, or go to the SharePoint SDK 
(bit.ly/oTAveH). 

Empower Users 

I hope you will consider the idea of hav¬ 
ing developers create custom actions using 
VS 2010 to augment and empower SPD 
2010 workflows. This approach limits the 
amount of custom code deployed, and thus 
maintained, in an environment, and it also 
ensures more people can create custom 


workflows with SPD 2010, instead of limiting that process 
to developers who have VS 2010. SS 
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Feature 



SharePoint Admins 
Can Learn to Love 

PowerShell 

Three lessons you don't have to learn the hard way 


A s with any new release, there was a lot to learn 

when SharePoint 2010 hit the streets. Typically, I’m 
up for such a challenge. Heck, I revel in it. How¬ 
ever, one of the biggest challenges that I almost didn’t over¬ 
come was learning Windows PowerShell. 

I’ve been working with SharePoint for a long time. 

Although I started with SharePoint Team Services 2001, I 
cut my teeth with Windows SharePoint Services 2.0 (WSS 
2.0). I used it to manage a farm with more than 1,200 site 
collections and more than 10,000 subsites, which are often 
referred to as webs. I learned early on to embrace scripting. 

I became especially good friends with the Stsadm com¬ 
mand-line tool. Stsadm let me manage the large farm and 
still have time to watch hysterical cat videos on YouTube. I 
wrote a TechNet Magazine article on Stsadm, a book chap¬ 
ter on Stsadm, and spoke at TechEd on, you guessed it, 
Stsadm. Imagine my shock and horror when I found out 
that SharePoint 2010 was going to transition to PowerShell 
and my beloved Stsadm was being deprecated. 

Until that moment in 2009, my exposure to PowerShell 
had been limited. I had avoided it because it seemed too 
“developery” for my tastes. It had objects, whatever those 
are. Stsadm, while limited and quirky, was easy to tame. 
PowerShell was complicated and bombastic. I wasn’t sure if 
I was smart enough to trick it into doing my bidding. I found 
myself in the first of the seven stages of grief. 

After I made it to the seventh stage. Acceptance, I got back 
up on my horse and started trying to conquer this beast. I 
bought PowerShell books and looked for PowerShell sup¬ 
port groups in my area. Nothing seemed to work. I still 
couldn’t do anything with it besides adding two numbers 
together and writing “Hello World” on my screen. Maybe I 
wasn’t smart enough to use PowerShell. 


Lesson 1: Just Use It 

One day it hit me: I was going at this backward. Instead 
of learning the language so that someday I could use 
PowerShell to get tasks done in SharePoint, I should start 
trying to automate daily SharePoint tasks as a way to learn 
the language. Of all the PowerShell lessons I’ve learned, 
this one is the most important. That was the day the skies 
opened and the sun shone down on me and PowerShell. 

Lesson 2: Make Get-Member Your Hero 

My first scripts were mundane, simple stuff like getting a 
list of site collections with Get-SPSite or a list of webs with 
Get-SPWeb. Although they were basic, they did ease me 
into concepts like PowerShell’s pipeline and how to format 
command output with cmdlets such as Select-Object and 
Format-Table. I was able to write handy one-liners like this: 

Get-SPSite -Limit all | 

Select-Object Url, Owner, SecondaryContact | 

Format-Table -AutoSize 

(Although this command wraps here, you’d enter it all on 
one line in the PowerShell console. The same holds true for 
the other commands that wrap.) This one-liner returns a 
handy list of all the site collections in the farm, along with 
each site collection’s owner and secondary owner. 

In this one-liner, it’s intuitive that the Owner property stores 
the name of the owner, but the same can’t be said for 
SecondaryContact property, which stores the name of the 
secondary owner. An object’s properties and methods aren’t 
always intuitive, which is one of PowerShell’s little quirks 
that contribute to its bad reputation and high learning curve. 

Fortunately, PowerShell has the Get-Member cmdlet, which 
has rescued me on many occasions. You can use it with any 
object to learn about that object’s properties and methods. 
For example, you can see all the properties of the SPSite 
object with the following command: 
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Get-SPSite | Get-Member 

Running this command is how I discovered that I had to 
use Owner and SecondaryContact to retrieve the names 
of the primary and secondary owners. It’s also how I dis¬ 
covered countless other gems about all types of objects. 
Walking through an object’s list of properties and methods 
has not only helped me figure out how to accomplish a 
given task but also inspired me to write scripts. 

For example, after getting the members of the SPWeb 
object, I was inspired to write another handy one-liner. 

In my SharePoint 2003 and SharePoint 2007 days, I often 
helped users troubleshoot SharePoint web problems. I’d 
ask them, “Which template was used to create this web?” 
They never knew because most of the time they weren’t the 
people who created that web. Different webs have different 
Web Parts and features, so knowing which template was 
used to create a web is helpful. In SharePoint 2003, there 
was no way to get that information. In SharePoint 2007, 
there wasn’t a way before SP2 came out. With PowerShell, 
it’s easy to discover the template with the command: 

Get-SPWeb http://portal.contoso.com/mysteryweb | 

Select-Object Url, WebTemplate, WebTemplateld | 

Format-Table -AutoSize 

I would have never thought to use PowerShell for this, 
but when I used Get-Member with SPWeb I saw the 
WebTemplate property and my curiosity was piqued. Now I 
have another invaluable tool in my bag of tricks. 

Lesson 3: Take Command with Get-Command 

Knowing an object’s members is good, but only after 
you’ve figured out which objects and cmdlets to use. How 
to discover cmdlets was another important lesson I learned. 
Get-Command lists cmdlets based on the criteria you pro¬ 
vide. My first introduction to Get-Command was the follow¬ 
ing one-liner, which lists all the SharePoint-related cmdlets: 

Get-Command -Module Microsoft.Sharepoint.Powershell 

Then I refined my cmdlet searches with other parameters. 
For example, the following one-liner lists all the cmdlets 
that deal with site collections, or SPSites as PowerShell 
refers to them: 

Get-Command -Noun SPSite 

You can substitute any cmdlet verb or noun in that com¬ 
mand. You can also use wildcards like this: 

Get-Command *SPSite* 

A Foundation for the Future 

Although I learned these three lessons the hard way, they 
have allowed me to build an ever-growing foundation of 
PowerShell understanding. By forcing myself to learn how 
to do boring everyday tasks in PowerShell, I was gathering 
the skills needed to write more complicated scripts. 


#Make a backup copy of the HOSTS file with today's date. 

# Make sure the SharePoint extensions are loaded. 
Add-PSSnapinMicrosoft.SharePoint.PowerShell -EA 0 

$hostsfile = 'C:\Windows\System32\drivers\etc\hosts' 

$date = Get-Date -UFormat "%y%m%d%H%M%S" 

$filecopy = Jhostsfile + '.' + $date + '.copy' 

Copy-Item Jhostsfile -Destination $filecopy 

# Get a list of the Alternate Access Mappings (AAMs) and 
#weed out the duplicates. 

$hosts = Get-SPAlternateURL | ForEach-Object {$_.incomingurl. 
replace("https://","").replace("http://","")} | 

Where-Object { $_.tostring() -notlike } j Select-Object 

-Unique 

# Get the contents of the HOSTS file. 

$file = Get-Content Jhostsfile 

$file = $file | Out-String 

# Write the AAMs to the HOSTS file, unless they already exist. 
$hosts | ForEach-Object { if ($file.contains($_)) 

{Write-Host "Entry for $_ already exists. Skipping"} else 
{Write-host "Adding entry for $_" ; add-content -path Jhostsfile 

-value "127.0.0.1 't $_ " }} 

# Disable the loopback check, since everything we just did will 
fail if it's enabled. 

New-ItemPropertyHKLM:\System\CurrentControlSet\Control\Lsa -Name 
"DisableLoopbackCheck" -Value "1" -PropertyTypedword 

Listing 1: PowerShell Script to Write SharePoint URLs to a 
Server's HOSTS File 

Listing 1 shows one of my latest creations. This script writes 
SharePoint URLs to a server’s HOSTS file. As a rule, I always 
point my SharePoint servers at themselves in their HOSTS 
files. This aids in troubleshooting and helps control which 
machines the search indexer uses when it performs crawls. I 
found myself making the same changes over and over when 
I performed installations, so this task was a perfect candidate 
for PowerShell. To write this script, I needed to understand 
how to get PowerShell to manipulate not only SharePoint but 
also file systems and the registry. I also needed to be able to 
walk through a collection of objects with a ForEach loop and 
manipulate values with the Replace and ToString methods. 
Fortunately, I had that foundation, and I was able to write 
that script with little effort—my favorite kind of writing. You 
can find more information about this script in my blog post 
at www.toddklindt.com/edithosts. 


Becoming proficient in PowerShell made me a better 
SharePoint administrator and probably a better person. It 
allows me to automate common SharePoint tasks as well 
as accomplish some uncommon tasks. On top of that, I can 
use that same PowerShell knowledge in other products such 
as Windows Server and SQL Server. I have not only learned 
PowerShell but also learned to love it. SS 

InstantDoc ID 140143 


Todd O. Klindt (todd@sharepoint911.com) is a consultant for 
SharePoint911 and a SharePoint MVP 


SharePoint Pro | October 2011 19 




By Todd Baginski 


Feature 



Implementing Custom 
WCM Sites with 
SharePoint 2010 


Three lessons learned while building public-facing websites 


harePoint Server 2010’s web content management 
(WCM) capabilities let developers create compelling 
public-facing websites built on the SharePoint plat¬ 
form while enabling content owners to easily manage and 
update the content in the websites without writing a single 
line of code. When SharePoint websites are properly archi¬ 
tected, content owners can use a web browser to update 
content stored inside SharePoint lists. They can edit the 
content directly within the body of a web page or edit the 
list content in a SharePoint list’s edit form. 

My experience building custom WCM sites with SharePoint 
Server 2010 started early in its product cycle. I was leading 
the architecture and development team that was charged 
with upgrading the platform of the SharePoint marketing 
website from Microsoft Office SharePoint Server 2007 (MOSS 
2007) to SharePoint Server 2010. We launched the marketing 
website on the Beta 1 build of SharePoint Server 2010 during 
Steve Ballmer’s keynote address at the Microsoft SharePoint 
Conference in 2009. It’s safe to say that my team and every¬ 
one else who worked on the website was nervous about 
going live with a Beta 1 build, but it turned out the product 
was stable enough. After the website was launched, other 
teams transitioned the site to the Beta 2 and release to man¬ 
ufacturing (RTM) builds and redesigned the site to give it 
the look and feel you see today at sharepoint.microsoft.com. 

While working on the SharePoint marketing website and 
several others—including the Microsoft Visio (visio 
.microsoft.com) and Microsoft Lync (lync.microsoft.com) 
marketing websites—I learned many lessons about building 
public-facing websites on the SharePoint 2010 platform. I’ll 
share three lessons that I feel are most helpful because they 
involve techniques that you can use to prevent or solve 
common problems. 

Lesson 1: Pay Attention to Page Size 

As you develop SharePoint sites, you need to keep in 
mind that the out-of-the-box SharePoint pages have a large 


payload to begin with. For example, the out-of-the-box 
SharePoint Publishing Site home page makes 37 requests 
and downloads a total of 635,348 bytes, as Figure 1 
shows. Many of these requests are for JavaScript files and 
Cascading Style Sheets (CSS) files. 

As you add new graphical elements, content, and function¬ 
ality to your pages, the page payload increases even more. 
To make sure that your pages are as small as possible and 
load quickly in a web browser, you can take advantage of 
the following techniques. 

Combine and minify JavaScript and CSS files. To help 
keep your pages as small as possible, you can package and 
deploy your CSS and JavaScript files with the following 
guidelines in mind. Whenever possible, combine all of your 
custom JavaScript files into a single file. This reduces 
the number of requests the web browser has to make to the 
SharePoint server and cuts down on page load time. The 



Figure 1: Waterfall report for the out-of-the-box SharePoint 
Publishing Site home page 
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Figure 2: Regions that asynchronously load new images without 
refreshing the entire web page 

same principle applies to CSS files. However, this might 
not always be possible to do, depending on how your com¬ 
ponents are architected. So, you should combine all your 
CSS files into a single file whenever possible. In addition to 
combining all your JavaScript and CSS files, minify them 
whenever possible. For example, you can remove the white 
space and line breaks in these files to make them as small 
as possible. 

Use content delivery networks (CDNs). When possible, 
you should use CDNs to load JavaScript files. For example, 
you can use the minified JQuery library (jquery-1.6.2.min 
.js) and the minified JQuery UI library (jquery-ui.min.js), 
which are part of the Microsoft Ajax CDN (www.asp.net/ 
ajaxlibrary/cdn.ashx). 

CDNs have two benefits. First, they speed up loading 
assets. Assets are loaded to users’ browsers from the clos¬ 
est servers possible. Second, CDNs reduce the amount of 
bandwidth consumed between the SharePoint servers and 
browsers, thus saving you money on bandwidth usage. 

Remove comments. Removing comments is perhaps the 
most often overlooked performance tweak you can make to 
a website. Many times developers don’t remove comments 
from the JavaScript files, CSS files, page layouts, or master 
pages in their SharePoint sites before deploying them to 
production. 

For example, in one of my client’s websites, I found com¬ 
ments in a previously deployed master page that added 5KB 
to the page payload size. Comments can be very helpful 
during development, but whenever you can do so, elimi¬ 
nate comments from the assets you deploy to your website. 


Turn off View State. Another overlooked performance 
tweak is turning off the View State mechanism for the 
controls you place in web pages. This helps reduce page 
payload considerably. Unless your controls require that 
the View State mechanism be enabled, turning it off won’t 
adversely affect your website. For anonymous public-facing 
Internet sites. View State typically isn’t required. 

The amount of data that a control stores in its ViewState 
property varies. A small view state of 1,500 to 2,000 
bytes is pretty typical for a page in a SharePoint website. 
However, you’d be surprised how many SharePoint sites 
have a view state of 9,000 bytes or more. It might not 
sound like a big difference, but the bytes add up. 

Load content asynchronously. Lazy loading content 
asynchronously, and only as needed, is a slightly more 
advanced technique to reduce page payload. This tech¬ 
nique reduces the size of the initial page load. Sometimes 
the reduction is substantial, but it depends on the design 
and functionality of the website. The JQuery library makes 
implementing this approach easy. 

The Visio marketing website shown in Figure 2 provides 
a good example of this technique. The red boxes indicate 
where users can click to load additional information, with¬ 
out refreshing the web page in the browser. Each time one 
of these regions is clicked, an asynchronous call is made to 
retrieve the corresponding image. By taking this approach, 
only the initial image is loaded when a user first visits the 
website. The initial page load for this web page uses 70 
requests to load a total of 895,040 bytes. Without asyn¬ 
chronous content loading, there would be 22 additional 
requests and an additional 729,549 bytes loaded. 

Suppress JavaScript files for anonymous users. Another 
advanced technique to optimize the size of your page pay- 
load is suppressing the loading of certain JavaScript files 
for anonymous users. For example, anonymous users don’t 
interact with the ribbon on your SharePoint site, so loading 
the sp.ribbon.js file isn’t required. Other files you can typi¬ 
cally suppress are the cui.js and core.js files. Collectively, 
these files add three requests and 233,099 bytes to your 
page payload size. 

This technique requires the greatest amount of testing to 
ensure that your website will perform properly when these 
files are suppressed, especially if you’re using a large num¬ 
ber of out-of-the-box Web Parts. Also, keep in mind that if 
you’re using SharePoint’s ECMAScript Client Object Model, 
the core.js file shouldn’t be suppressed. To learn more 
about this technique, check out Chris O’Brien’s excellent 
blog “Eliminating large JS files to optimize SharePoint 2010 
internet sites” (www.sharepointnutsandbolts.com/2011/01/ 
eliminating-large-js-files-to-optimize.html). 


SharePoint Pro | October 2011 21 
















































Feature 


Custom WCM sites 



Figure 3: Content By Query Web Part displaying videos stored in 
a SharePoint list 



Figure 4: The same Content By Query Web Part displaying the 
next video in the list 


Understanding the various options to reduce page size can 
help your SharePoint websites perform well. However, in 
the real world, not all website projects have the time or 
budget allocated to implement all of these techniques. It’s 
certainly possible to create SharePoint websites that have 
acceptable page payload sizes without implementing all of 
these techniques. 

Also, keep in mind that page payload size isn’t the only 
factor that makes a fast SharePoint site. Many other perfor¬ 
mance considerations should be taken into account, such as 
the quality of your custom code, cache setup, server farm 
hardware, and network configuration. 

Lesson 2: Use Content By Query Web Part 

Although the Content By Query Web Part hasn’t changed 
much in SharePoint 2010, it still remains a very powerful 
tool that you can use to display content in a compelling 
way. The Lync marketing site in Figure 3 uses the Content 
By Query Web Part to display product-related videos. 

The section of the page with the red box around it displays 
videos stored in a SharePoint list. When a user clicks the 
arrows at either end of the video list, the Web Part brings 
the next video into view and asynchronously loads the cor¬ 
responding image, as Figure 4 shows. 


The product video section employs an out-of-the-box 
Content By Query Web Part that uses custom Extensible 
Style Language (XSL) code to format the data it displays. 
The scrolling effect is accomplished with JQuery. 

In more complex scenarios, you can develop custom Web 
Parts that inherit from the Content By Query Web Part. A 
perfect example is the Web Parts in the Visio marketing 
website in Figure 5. 

The green box highlights an out-of-the-box Content By 
Query Web Part configured to display sorting criteria and 
apply them to the page. The two red boxes highlight cus¬ 
tom Web Parts that inherit from the Content By Query Web 
Part. The custom Web Part on the left provides metadata- 
based filtering capabilities. It queries the SharePoint 
Managed Metadata Service to retrieve and display terms in 
the term store for the content on the page. The custom Web 
Part on the right displays the filtered items. All three Web 
Parts on the page use custom XSL code to define their look 
and feel. 

It’s important to understand how Content By Query Web 
Parts behave in anonymous access scenarios. First, be aware 
that you shouldn’t link to specific list items from Content By 
Query Web Parts because the ability for anonymous users to 
view form pages isn’t enabled, even when anonymous access 
is enabled on the SharePoint website. However, you can turn 
on this functionality programmatically. 

You also need to be aware that the Content By Query Web 
Part’s CopyUtil functionality will break if the lockdown fea¬ 
ture is enabled. (CopyUtil.aspx is found under the _layouts 
virtual directory.) To work around this problem, target all 



Figure 5: Content By Query Web Parts that provide metadata- 
based sorting and filtering 
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Figure 6: Out-of-the-box rating control with a Sign In link 
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Figure 7: Out-of-the-box rating control when a user is signed in 


the links in your Content Query Web Part to publishing 
pages in your SharePoint websites. 

Lesson 3: Learn How to Allow Anonymous 
Users to Rate Content 

More often than not, when you create a new website nowa¬ 
days, one requirement is the need to let users rate content 
in the website. SharePoint 2010 ships with functionality that 
allows users to rate any list item in a SharePoint website, 
such as pages, videos, pictures, audio clips, or anything 
else you can store in a SharePoint list. However, this ratings 
functionality is designed to work only for users who are 
logged on to the SharePoint website. There are two ways to 
implement ratings functionality in public-facing SharePoint 
websites. 

The first way is to require users to sign in before they can 
rate an item. An example of this scenario is the SharePoint 
marketing website. In Figure 6, the rating for the video is 
displayed in the lower right of the screen. When users aren’t 
signed in, the Sign In link appears below the rating control. 
When users click the Sign In link, they’re redirected to the 
page where they can sign in with their Windows Live IDs. 
After they sign in, they’re redirected back to the page where 
they started (see Figure 7), and the ratings control is enabled. 


Item URL One Two Three Four Five Count Rating 

/sites/pub/pages/default.aspx 1 2 5 4 11 23 4.0 


Figure 8: Sample data in a hidden list that stores rating data 


The second approach is to create your own ratings control 
that allows anonymous users to rate content. The Visio 
marketing website implements this approach. The anony¬ 
mous ratings Web Part created for this website stores rat¬ 
ings in a custom hidden SharePoint list. Figure 8 shows 
sample data in the hidden list that stores the rating data. 

The anonymous rating Web Part uses the SPSecurity 
.RunWithElevatedPrivileges method to create and update 
the list items that store the rating data. AJAX is used to 
submit ratings and retrieve them without refreshing the 
entire Web page. The JQuery library is used to manipulate 
the CSS and associated elements in the Web Part. 

When Gary Lapointe and I built the anonymous rating Web 
Part, we used the same CSS as the out-of-the-box rating con¬ 
trol so that our anonymous rating Web Part looked like the 
out-of-the-box ratings control. The anonymous rating Web 
Part uses cookies to determine if the user viewing the page 
has previously rated the item. This approach is less fool¬ 
proof than the other approach because a user can delete 
the cookies and rate the item again. However, this approach 
lets anonymous users rate items in SharePoint without log¬ 
ging in. For the Visio website, having people possibly rate 
an item more than once wasn’t considered a big enough 
risk to require users to sign in. 

Techniques Help Solve Common Problems 

These three lessons are only some of the lessons I learned 
while building public-facing Internet sites on the SharePoint 
platform. The techniques they teach can help you prevent 
or solve common problems, so keep them in mind when 
you build your SharePoint websites. Also keep in mind that 
you need to consider many other performance, usability, 
and supportability issues to make sure that your website 
meets the needs of the website owners and end users. §§? 
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Feature 

By Celina Baginski 

1 15 SharePoint 2010 
Branding Tips 

Easily customize SharePoint to attract visitors and end users 



W hen I first started branding for SharePoint 2010, 
I began making a list of branding tips to share 
with the students in my branding courses. Here 
are some of the tips that my students and I have found 
most useful. 


side. In 2010, you can pin a gallery so that a mini-gallery is 
always visible below the navigation pane (see Figure 1). To 
pin a gallery, hover over the link that you want to pin, then 
click the pin icon when it appears. This gallery will continue 
to be displayed even if you browse to another gallery. 


SharePoint Designer Tips 

The SharePoint Designer 2010 interface is radically different 
from the 2007 interface. These SharePoint Designer tips will 
help simplify your work with SharePoint Designer 2010. 

Tip 1: Change master page content type to Publishing 
Master Page. My first SharePoint 2010 branding project 
included importing a master page and making a few edits. 

I noticed that when I imported my master page in 2010, it 
wasn’t in the master page folder. 

In SharePoint Designer 2007, both the master pages and the 
page layouts are stored in the masterpage folder located in 
the _catalogs folder. However, in SharePoint Designer 2010 
there are separate files, one for master pages and another 
for page layouts. If you open SharePoint in a web browser 
and click Site Actions, Site Settings, then click Master pages 
and page layouts in the Galleries section, you’ll see that 
your master page was uploaded successfully. You’ll also 
notice that the icon next to the file name indicates that 
it’s a master page file. But why is it not showing up in the 
Master Pages folder in SharePoint Designer 2010? 

If you choose Edit Properties for the master page file, you’ll 
see in the Content Type dropdown menu that Page Layout 
was the default when the master page was uploaded. As a 
result, the master page that you recently uploaded is in the 
Page Layout folder, not in the Master Pages folder. To change 
this, simply change the content type of your master page by 
selecting Publishing Master Page in the Content Type drop¬ 
down menu. In SharePoint Designer 2010, refresh the Master 
Pages folder by pressing F5, and you’ll see your imported 
master page in SharePoint Designer’s Master Pages folder. 

Tip 2: Pin a gallery. In SharePoint Designer 2007,1 was used 
to developing with the Folder List always visible on the left 


Tip 3: Use Ctrl + click to jump to the code of a class. Both 
SharePoint Designer 2007 and 2010 provide a helpful feature 
that lets you click an 
underlined class name 
while holding down the 
Ctrl key. Do this in your 
master page or page 
layout to go directly to 
that piece of code. For 
example, if you click 
class =" ms-TumOffAcc " 
in your master page, the 
corev4.css file (where 
that class is located) 
opens. Additionally, 
you’ll be taken directly 
to that piece of code 
within that file. 



Tip 4: Access the 
Toolbox easily. I’ve 
received several ques¬ 
tions regarding open¬ 
ing the Toolbox in 
SharePoint Designer 
2010. After you have 
opened an editable 
2010 file, such as a 
master page or a .css 
file, the View tab will 
appear on the ribbon. 
Just click the Task 
Panes drop-down list 
from the ribbon, then 
click Toolbox. (See 
Figure 2.) 
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Figure 2: Open Toolbox 
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Tip 5: Know the difference between Page fields and Content 
fields. In the Toolbox, you’ll find a list of Page fields and Content 
fields. Why are these site columns categorized differently? The 
Page Fields category contains site columns that are inherited 
from the parent content type from which the page layout was 
created. The Content Fields category contains site columns that 
are specific to the content type that the page layout was created 
from. Figure 3 shows a list of Page fields and Content fields. 

Master Page Tips 

These master page branding tips are needed for almost 
every branding project. 

Tip 6: Use the After property to force a .css file to load 
after another. When you reference a .css file in your mas¬ 
ter page, the After property is helpful. The After property 
is new to SharePoint 2010 and is used to force a .css file 
to load one after the other. For example, if you reference a 
custom .css file in your master page and the After property 
reads After = "corev4.css", your custom .css file will load 
after the out-of-the-box corev4.css file. You can use this 
After property more than once to specify that an entire list 
of .css files should load one after the other. In the follow¬ 
ing example, customfilel.css loads after corev4.css: 

<SharePoint:CSSRegistrati on Name="/Style Library/ 
customfilel.css" After="corev4.css" runat="server"/> 


Here is another example showing how customfile2.css loads 
after customfilel.css: 

<SharePoint:CSSRegistrati on Name="/Style Library/ 

customfile2.css" After="customfilei.css" runat="server"/> 


Tip 7: Use the $SPUrl token to reference a .css file. If you 
need to make a reference to your .css file and specify that 
it’s located at either the root of a site collection or at the 
root of a subsite site, you can use a $SPUrl token. Here’s an 
example of how to reference a .css file that’s located at the 
root of a site collection: 


<SharePoint:CSSRegistrati on name=<% $SPUrl: 

~sitecollection/Style Library/customfile.css %>" 
after="corev4.css" runat="server"/> 


And here’s an example of how to reference a .css file that’s 
located at the root of a subsite site: 

<SharePoint:CSSRegistrati on name=<% $SPUrl: 

~site/Style Library/customfile.css %>" 
after="corev4.css" runat="server"/> 

Tip 8: Apply master pages to publishing sites. To apply 
master pages to publishing sites in SharePoint, click Site 
Actions, Site Settings, then click Master Page under Look 
and Feel. You’ll see two sections (Site Master Page and 
System Master Page) that include drop-down lists. 

Site Master Page is used by publishing content pages and is 
defined by the dynamic token ^ masterurl/custom.master 


in the content page directive. To apply Site Master Page 
using SharePoint Designer, right-click a master page file, 
and click Set as Custom Master Page (see Figure 4). 

System Master Page is used by non-publishing sites, pub¬ 
lishing site subpages (such as list views, libraries, and 
forms), dialog pop-up windows, and application pages. It’s 
defined by the dynamic token ^ masterurl/default. master 
in the content page directive. To apply System Master Page 
using SharePoint Designer, right-click a master page file, 
and click Set as Default Master Page. 

Tip 9: Hide content placeholders not used by SharePoint 
2010. A handful of content placeholders aren’t required for 
your SharePoint 2010 master page, but they are required for 
backward compatibility. If you know that your master page 
will be used only for SharePoint 2010, you can hide the 
backward-compatible content placeholders in your master 
page to reduce the amount of HTML that’s rendered when 
the page loads. Note that you can’t delete the unused con¬ 
tent placeholders because you’ll receive an error message 
saying that SharePoint is looking for that particular content 
placeholder. The 
proper thing to do is 
to hide them. 

The out-of-the-box 
v4.master file uses 
CSS to override these 
content placeholders. 

(Search for the s4-die 
class, and you’ll see 
several instances of 
this class.) However, 
placing these con¬ 
tent placeholders in 
a non-visible panel 
instead of hiding 
them through CSS is a 
more efficient option 
that will help your 
page to load faster. 

Figure 5 shows nine 
non-required content 
placeholders in a non- 
visible panel. 

Tip 10: Learn the 
master pages. Four 
out-of-the-box mas¬ 
ter pages are often 
used for branding in 
SharePoint 2010. The 

default.master page. Figure 3: Page Fields and Content Fields 

also known as v3 


Toolbox 


□ Page Fields 

(from Welcome Page) 

Comments 
Contact 

Contact E-Mail Address 
Contact Name 
Contact Picture 
Content Type 
Document Created By 
Document Modified By 
Name 

Page Layout 
Rollup Image 
Scheduling End Date 
Scheduling Start Date 
Target Audiences 
Title 
Refresh 

El Content Fields 

(from Welcome Page) 

cgll Page Content 
Page Image 
cfll Summary Links 
iHl Summary Links 2 
Refresh 


m 

m 

m 

m 
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Figure 4: Apply master page from SPD 2010 


master, is equivalent to the default master page in SharePoint 
2007. If you apply this master page to your SharePoint 2010 
site, the ribbon is stripped out and the Site Actions menu 
is located to the right of the global navigation container. 

This is the master page that’s used when SharePoint 2007 is 
upgraded to 2010. It can be used only when SharePoint 2010 
is in SharePoint 2007 mode via Visual Upgrade. 

The v4.master page is the default team site master page and 
can be used for both publishing and non-publishing sites, 
whereas the nightandday.master page is used only for pub¬ 
lishing sites. The nightandday.master page is similar to the 
Blueband master page that came with SharePoint 2007. The 
minimal.master page is used for sites that have their own nav¬ 
igation control or that need additional space to display con¬ 
tent, such as the search center and Office Web Applications. 


The second approach is to fix the width of the body area 
and the entire ribbon. This works well if your design looks 
best when the entire ribbon is a fixed width. However, 
there will be unused space at the top of the scroll bar. To 
use this second approach, add the CSS code in Listing 2 to 
your master page or style sheet. 

You can remove the extra white space where the back¬ 
ground of the ribbon used to be by completely reverting 
back to the browser’s traditional scroll bar. To do this, 
the ribbon-positioning method needs to be turned off or 
removed by deleting the ID s4-workspace from the master 
page. There are consequences to removing this ID from 
the master page. One known consequence is that the 
Gantt view of a project list no longer appears. To use this 
approach, search for id= "s4-workspace" and remove it 
from the < div > container in your master page. 

The last option is to add inline styles to your master page to 
set a fixed width to the ribbon and the main workspace. Then 
turn off the ribbon-positioning method to revert to the brows¬ 
er’s standard scrolling system. (This topic was covered in part 
two of my article “SharePoint Branding 101: Customizing Your 
SharePoint Site” at www.sharepointpromag.com, InstantDoc 
ID 136262.) 

To center the ribbon and make it a fixed width, perform 
a search for id= "s4-ribbonrow". Add a width style of 


<asp: Panel visible="f alse" runat= rr server"> 

<asp:ContentPlaceHolder id=" PlaceHolderSiteMame " runat=" server" /> 

<asp: ContentPlaceHolder id= " P1ac eHo1de r P ageImaqe " runat=" server" /> 
<asp:ContentPlaceHolder id=" PlaceHolderTitleLeftBorder " runat= "server" />| 

< asp:ContentPlaceHolder id=" PlaceHolderMiniConsole " runat=" server" /> 

< asp:ContentPlaceHolder id= " P1aceHo1derTitleRiqhtMarqin " runat=" server" /> 

< asp:ContentPlaceHolder id=" PlaceHolderTitleAreaSeparator " runat="server" /> 
< asp:ContentPlaceHolder id=" PlaceHolderUavSpacer " runat="server" /> 

< asp:ContentPlaceHolder id=" PlaceHolderLeftMayBarBorder " runat=" server" /> 

< asp:ContentPlaceHolder id=" PlaceHolderBodyLeftBorder " runat=" server" /> 

</asp:Panels 


Tip 11: Use a fixed-width design. Most custom SharePoint 
branding projects require a fixed-width site design, but 
SharePoint’s ribbon-positioning method can create complex¬ 
ity when you’re trying to make a fixed-width site because 
it makes the ribbon stay at the top of the page. It also 
replaces the browser’s traditional scrolling method by using 
JavaScript to analyze the size of the page and insert a cus¬ 
tom scroll bar underneath the ribbon. 

You can choose among several approaches to implement 
a fixed-width design. (The following tips aren’t targeted to 
anonymous-access-enabled sites.) The quickest and most 
straightforward approach is to modify a few default CSS 
classes to make the site a fixed width, and to match the 
width of the ribbon’s contents to that of the site design. 
(The ribbon’s contents are a fixed width, but the ribbon 
container remains the full width of the browser.) Add the 
CSS code in Listing 1 to your master page or style sheet. 
Note that this approach might conflict with your design. 


Figure 5: Backward compatible content placeholders in a 
non-visible panel 


/*This creates a fixed-width site design. Applying the 

fixed-width to #s4-bodyContainer keeps the scroll bar to the 
far right side of the site.*/ 

#s4-bodyContainer { 
width: 960px !important; 
margin:auto; 

} 

/* This makes the contents of the ribbon a fixed-width*/ 

.ms-cui-ribbonTopBars, ms-cui-tabBody { 
width:960px; 
margin:auto; 

} 

/*This removes a white line that’s underneath the ribbon and 
looks out of place when the ribbon’s contents are a fixed- 
width*/ 

.ms-cui-ribbonTopBars div { 
border-bottom:lpx solid transparent; 

} 

Listing 1: Code to Make Both the Ribbon's Contents and the 
Site Design a Fixed Width 
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960px to the < div > tag, and set the margins to auto, as 
follows: 

<div id="s4-nbbonrow" class= 

"s4-pr s4-ribbonrowhidetitle" style= 

"width:960px; margin:auto"> 

To center the main workspace and make it a fixed width, 
perform a search for id= "s4-workspace". Add the class 
s4-nosetwidth to the < div > tag, add a width style of 
960px, and set the margins to auto, as follows: 

<div id="s4-workspace" class= 

"s4-nosetwidth" style= 

"width:960px; margin:auto"> 

Note that the class s4-nosetwidth tells SharePoint not 
to override our fixed width with inline styling when the 
page loads in the browser. To revert to the browser’s stan¬ 
dard scrolling method, search for id= "s4-workspace" and 
remove it from the < div > container in your master page. 

Tip 12: Manage code that provides error messages to 
legacy browsers. Toward the bottom of an out-of-the-box 
master page, a line of code has been inserted to provide 
an error message for users viewing SharePoint 2010 in an 
unsupported browser. You can insert this line of code in 
your own custom master pages as well. If you don’t want 
this warning to be presented to all users, simply remove the 
following line of code from the master page: 

<SharePoint:WarnOnUnsupportedBrowsers runat="server" /> 

Tip 13: Add a traditional breadcrumb. SharePoint 2010 
uses a pop-out hierarchical global breadcrumb found on 
the ribbon and a combination of site title and current page 
title (or list title) in the header area that can also serve as 
a type of breadcrumb. However, a lot of clients definitely 
miss (and will ask for) a traditional breadcrumb. To add 
the traditional SharePoint 2007 breadcrumb to your new 
SharePoint 2010 master page, add this code: 

<asp:SiteMapPath runate="server" /> 

/*Scroll bar is added if overflow is clipped.*/ 
body.v4master { 
overflow:auto; 

} 

/*This creates a fixed-width site design. Applying the fixed- 
width to #s4-bodyContainer keeps the scroll bar to the far 
right side of the site.*/ 

#s4-bodyContainer { 
width: 960px !important; 
margin:auto; 

} 

/*This makes the entire ribbon a fixed width.*/ 

#s4-ribbon row { 
width:960px; 
margin:auto; 

} 

Listing 2: Code to Make Both the Entire Ribbon and the Site 
Design a Fixed Width 


You might want to add some styling around it as well so 
that it matches your brand. 

Tip 14: Learn the CSS class s4-notdlg. Many new CSS 
classes were added to SharePoint 2010. In addition to the 
s4-nosetwidth class, which was already discussed in the 
master page section of this article, here is another CSS 
tip that is often useful when branding in SharePoint 2010. 

I mentioned in Tip 8 that the master page identified as 
System Master Page will be applied to dialog pop-up win¬ 
dows. You’ll notice several instances of the s4-notdlg class 
within out-of-the-box SharePoint 2010 master pages. This 
class tells SharePoint not to apply the particular element 
that the class wraps around to the dialog box. For example, 
if you create a custom master page with a custom header 
and apply the s4-notdlg class to that element, the header 
won’t appear in the dialog pop-up window. If you don’t 
apply the class s4-notdlg, the header will appear in the dia¬ 
log pop-up window. 

Tip 15: Turn on full error messages. This tip isn’t new to 
SharePoint 2010, but it’s still helpful. By default, SharePoint 
turns custom errors on so that users see a more friendly 
error message. However, the custom error messages don’t 
help designers troubleshooting an issue. To turn off custom 
error messaging, perform the following steps on the devel¬ 
opment web server: 

1. Navigate to the following site directory: 

< Local drive > :\inetpub\wwwroot\wss\ 
VirtualDirectories\[sub directory with port number of 
your SharePoint site] 

2. Locate the web.config file, and make a copy of it as a 
backup. 

3. In Notepad, open the web.config file. 

4. Search for “CallStack.” You will find the following: 

<SafeMode MaxControls="200" CallStack= 

"false" DirectFi1eDependenci es="10" 

TotalFi1eDependencies="50" 

A11 owPagel_evelTrace="fal se"> 

5. Change the value of the CallStack and 
AllowPageLevelTrace attributes to True. 

6. Search for “CustomErrors,” then change the 
CustomErrors mode to Off. 

7. Save and close the file. 

The cache for the website for which you changed the web 
.config file is invalidated and reloaded. Now the site will 
display the ASP.NET error page, which displays the full 
error message and the exception stack trace. US 

InstantDoc ID 136366 


Celina Baginski (cbaginski@go-planet.com) is the branding 
development director at Planet Technologies. She has 6 years of 
SharePoint experience and 13 years of design experience. Over the 
past 3 years, Celina has branded 40 SharePoint sites. 
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By Ron Charity W 


I SharePoint 2010 
Backup and Recovery 

SharePoint's complex nature requires a thorough plan 


S harePoint’s business-value proposition creates sup¬ 
port pain for IT. Much of this pain is felt in backup 
and recovery, which must occur on three levels: item, 
site, and farm. I’d like to offer a holistic view of SharePoint 
backup and restore and focus on creating and managing a 
sustainable, comprehensive SharePoint backup and restore 
solution. To create a plan that supports all three levels 
above, you must 

• understand stakeholder requirements 
• define service level agreements (SLAs) 

• plan for a complete set of backup and restore 
components 

• consider the technical architecture 
• evaluate backup and restore toolsets 
• create policy and process documentation 
• provide operations and awareness training 
• develop a test plan 
• complete a proof of concept or pilot 
• sign off with farm and application owners 
• create a backup schedule 
• develop a governance plan 
• consider the backup and restore processes 

Stakeholder Requirements 

To understand the requirements and expectations of a 
SharePoint backup and recovery plan, you must reach out 
to stakeholders, including people who 
• use SharePoint daily, as a tool for collaboration 
• run applications (or components) on top of SharePoint 
• sustain SharePoint and the related infrastructure 

Two crucial goals are at play: to gather requirements from 
the various stakeholders and to educate stakeholders and 
thereby proactively manage expectations. You do this by 
interviewing each stakeholder. To begin, ask business staff 
• Is the data to be backed up directly linked to revenue 
generation? 

• What is the cost per hour? 

• If the data is lost, what is the cost to recreate it? 

• If the data is lost, will the brand be affected? 

• Is the data directly classed as corporate records? 

• Who uses the data and how many rely on it? 

• When do users access the data? 


For IT staff, begin with these questions: 

• Are any outsourcing contracts associated with backup 
and restore, or with the related infrastructure? 

• Which backup and restore tools are in place? Do they 
support SharePoint? 

• Which backup and restore infrastructure is in place? 

• Which skills that relate to backup and restore are in 
place? What about skills that relate to SharePoint or 
Microsoft SQL Server? 

• Are there constraints within the IT environment (e.g., 
network bandwidths, storage, tape libraries)? 

• What are the existing backup rotation schedules and 
windows? 

• Where are the SharePoint farms? What is their configu¬ 
ration? How much data is involved? 

(See Table 1 for additional questions.) After you complete 
this, you can document service level objectives and distrib¬ 
ute them for review. You’ll use them next to define SLAs. 

Service Level Agreements 

Defining SLAs requires a mix of technical skill, financial 
skill, and political savvy. The technical aspects of most SLAs 
are well defined and provided by the various backup and 
restore toolset venders. They have experienced staff and an 
abundance of documentation that can provide comparisons, 
value statements, and technical data. The true challenge 
is creating a solution that addresses business expectations, 
financing (i.e., what is being requested versus what you can 
afford), and environmental realities (e.g., infrastructure read¬ 
iness, SharePoint customizations). In your SLAs, you state 
the facts regarding the backup and restore service: 

• what will and what won’t be backed up, and why 
(think recovery time objective—RTO, and recovery point 
objective—RPO) 

• when data will be backed up, as well as any perfor¬ 
mance, change control, or administration implications 

• data restore performance and administration 
implications 

• backup speed performance related to capacity plans 

• IT, site administrator, and end-user responsibilities 

• process for provisioning backup and restore 

• process for recovering data 
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SLAs must be publicized and reviewed on a regular basis to 
manage expectations. Also, when you provision new farms, 
get business and IT stakeholders to physically sign off on 
their understanding of SLAs that apply to those farms. 

Backup and Restore Components 

A successful SharePoint backup and restore solution also 
includes cost, people, process, and policy to make sure that 
it meets expectations and is sustainable. These topics usu¬ 
ally present the most complex or unforeseen challenges, 
because backing up and restoring a SharePoint farm is a 
complex task. For example, you must rebuild the server or 
servers, load Windows Server, load SQL Server, then load 
SharePoint. Then you need to apply service packs, cumula¬ 
tive updates, customizations—and think of all the reboots 
involved during the build. (See www.sharepointpromag 
.com, InstantDoc ID 140201, for the “Slipstreaming and 
WSPs” sidebar associated with the web version of this 
article for a suggestion for customized farms.) 

Technical Architecture 

Backup architecture generally consists of the SharePoint 
farm (and backup agents installed on the web front ends— 
WFEs), a staging farm (usually a single server), storage (a 
location for disk backups), and tape backup systems. From 
a storage perspective, I suggest that you plan the space you 
require based on the total size of your farm databases, then 
add a safety margin. Also consider the impact of a staging 
server (usually a single server with disk space to restore the 
databases) in your data center. 

Though not specific to backup and restore architecture, 
your farms’ information architecture (i.e., how you provi¬ 
sion and organize sites, site collections, and applications) 
is key to helping you meet SLAs, by isolating high-value 
data and configuring backup and restore jobs accordingly. If 
high- and low-value data are combined, then meeting SLAs 
will be difficult because of growing backup windows and 
associated recovery times. Keep in mind that SharePoint- 
specific backup toolsets don’t have the throughput of a 
SQL Server backup toolset. Another aspect of information 
management is archiving. Some data loses its value over 
time; refer to the Storage Networking Industry Association 
(SNIA) Data Policy model for details. Consider archival 
solutions that migrate such data to a low-cost repository. 
(Compliance-related data must be migrated to the corpo¬ 
rate records-management system.) Many organizations 
experience a 40- to 50-percent growth in data each year. 
Disk costs are a small component; when you factor in per¬ 
formance degradation, staffing, backup software, and data 
center costs (air, power, space), the cost of having low- 
value data in SharePoint and SQL Server adds up. 

Also consider the capacity and utilization of the stor¬ 
age that you use, and plan your performance (i.e., I/O 


Topic 

Questions 

Policy 



What are the current policies for RTO and 
RPO? Do they differ from SharePoint's 
requirements? 


What is the data policy? What is the value 
of data to the organization? What are 
the compliance requirements? 


Which administration policies must be 
followed to remain compliant? 


What are the security policies regarding 
data protection and handling? 

Process 



Which backup and restore processes are 
in place? 


How will the SharePoint backup and 
restore solution affect SharePoint 
administration and use? 


Which tests must be performed to ensure 
success? 


How will the backup and restore process 
affect operational windows? What jobs 
are in place? How resource-intensive 
are they? 

People 



How will the SharePoint backup and 
restore solution affect current 
operations staffing? Are outsourcers 
involved? 


How will site owners and users be affected 
by backup and recovery? What is their 
role in the process? 


Which training and awareness programs 
are required? What about operator 
and Help desk training and user 
awareness training? Which tools are 
required to support the training and 
communications? 

Tools 



Which tools best meet requirements? 

What infrastructure exists? Are agents 
available for SharePoint? Is a second 
toolset and supporting infrastructure 
required? 


What is the data-center footprint (i.e., 
servers, network, storage, power, and 
A/C)? 


With which vendor(s) are agreements 
needed? Which services do they 
provide? 


Do we outsource? How will that affect 
service costs? What are the initial 
provisioning costs plus monthly fees? 


How will the infrastructure be affected (e.g., 
more servers, networking, storage)? 


How can capacity and recovery time be 
balanced? How about SQL Server 
database sizes vs. application needs? 


Table 1: Questions for Creating a SharePoint Backup and 
Restore Plan 


Processors—IOPs) needs with an experienced SAN admin¬ 
istrator who knows the environment well. From an opera¬ 
tional perspective, you want the most speed possible to 
keep your window small and contained. You also want to 
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Backup and Recovery 


Component 

Description 

Notes 

Operator console 

Backup software 
operator console 


SharePoint farm 

Production SharePoint 
farm 


Staging farm 

SharePoint farm used 
by some toolsets to 
stage data recovery 
before restoration 
to the production 
farm 

Should reside in 
same data 
center as the 
production 
farm, for 
recovery speed 
purposes 

Client-facing network 

Client traffic network 

Isolate traffic to 
reduce chance 
of performance 
degradation 

Farm network 

Farm and operational 
traffic network 

Isolate traffic to 
reduce chance 
of performance 
degradation 

SAN 

Location for backup 
files 


Tape library 

Location for 

transferring backup 
files to tape 



Table 2: SharePoint Backup and Restore Components 


isolate operational-related traffic so that you don’t experi¬ 
ence network-congestion problems. 

Table 2 describes components of SharePoint architecture. 
Make sure to keep detailed and up-to-date documentation 
for your environment. Tools that help with 
this process are available, such as Microsoft 
Single Channel Control Module (SCCM) and 
the free SharePoint Documentation Generator 
(SPDocGen—spdocgen. codeplex. com). 

Backup and Restore Toolsets 

Several tools are available for SharePoint 
backup and restore. (See Table 3 for an over¬ 
view of tool differences.) These differences 
affect how you recover, the depth of recovery, 
and the data center footprint required. (See 
www.sharepointpromag.com, InstantDoc 
ID 140201, for the “Change Control” side- 
bar associated with the web version of this 
article for more information.) Microsoft also 
offers a comparison of its built-in tools and 
System Center Data Protection Manager 
(DPM) at technet.microsoft.com/en-us/ 
library/cc263427 (office. 12) .aspx. 


at 20GB/Hr, versus SQL Server backup speeds that are 
much faster. If you have a large farm with multiple content 
databases, you can see that granular backups could exceed 
your backup window. You should also evaluate other 
products as part of your diligence exercise. For example, 
Metalogix has a SharePoint tool that lets you use a simple 
Windows Explorer interface to browse content databases 
and retrieve content. 

Policy and Process Documentation 

Your solution will require policy and procedural documents 
that operators, site administrators, and users can follow. 
You’ll need these documents (accompanied by training): 

• How-to manual—explains how to back up and rebuild 
farms, and recover individual components. 

• Help desk call-handling manual—explains how to 
handle backup and recovery requests, questions to ask, 
request tracking, follow-up procedures, tools to use. 

• Communications plan—includes policy and instructions 
regarding communications with the involved parties. 

• Contact list—includes media, farm owners, support. 
Help desk, and others (e.g., data-center personnel). 

Operations and Awareness Training 

After your solution's in place, people must be trained (in 
administration and operation) and stakeholders educated 
about the solution (particularly the SLAs). You also must 
create general awareness of the solution. I recommend 


Product 

Recovery Type 

Site Collection 
Size 

Recovery 

Depth 

SharePoint 2007 built- 
in backup 

In-place recovery 

100GB and less 

Farm and granular 
recovery to site- 
collection level 

SharePoint 2010 built- 
in backup 

In-place recovery 

100GB and less 

Farm and granular 
recovery to list 
level; requires 
Windows 
PowerShell for 
granular restore 

Microsoft SQL Server 
2008 R2 built-in 
backup 

In-place or staging 
recovery 

100GB and more 

Content databases 
only; no 
granularity (all 
or nothing) 

AvePoint DocAve 
Backup and 

Restore 

In-place recovery 

100GB and more 

Farm and granular 
recovery to item 
level 

HP Data Protector 
with Granular 
Recovery 

Extension for 
SharePoint 

Staging farm required 

100GB and more 

Single server farm 
and granular 
recovery to item 
level 

Microsoft DPM 2007 

Staging farm required 

100GB and more 

Single server farm 
and granular 
recovery to item 
level 

Microsoft DPM 2010 

In-place recovery 

100GB and more 

Farm and granular 
recovery to item 
level 


Table 3: SharePoint Backup and Restore Tool Comparison 


Some tools require a staging farm to recover 
data, so you must plan for impacts to 
people, process, policy, and tools. Also note 
that recovery speed appears to degrade with 
the level of granularity. For example, list- 
item-level backup speed has been reported 
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• Training for operators—How to back up and restore 
SharePoint, how to manage related admin tasks. 

• Awareness training—Staff such as stakeholders and archi¬ 
tects need architectural information. 

Follow-up sessions can reinforce key points and drive 
awareness. You might also create a site with information 
about the backup solution, such as design documents, pro¬ 
visioning forms, backup schedules, performance data (i.e., 
the speed of backup and restore), and key contacts. 

Test Plan 

Testing should include two components: initial testing of 
the solution in a proof of concept or pilot environment, and 
ongoing testing (i.e., fire drills), which should occur one 
or two times per year. To test properly (and confidently), 
you need a documented plan that includes test scripts and 
the format for documenting test results. Generally, the test 
plan includes a list of tests, expected outcomes, and actual 
outcomes. The test plan should be used during the proof of 
concept or pilot operation, running end-to-end tests, and for 
getting stakeholders to sign off physically. A good test plan 
displays thoroughness and helps build credibility with stake¬ 
holders. It should include the scenarios in Table 4. 

When developing test cases, include any details that you want 
tested and confirm that the results 
are noted so that you can man¬ 
age stakeholders’ expectations. For 
example, the test cases for Web 
Parts and for data should include 
verification of metadata (column) 
recovery, content types, version 
history, and workflows, since 
these are important configuration 
changes and their absence can 
affect users. 


Proof of Concept and Pilot 

Whether you use a proof of 
concept, a pilot, or both, the out¬ 
come is generally the same: You 
prove that the solution works in 
your environment. Your proof 
or pilot must reside in your data 
centers and in test representa¬ 
tions of your production systems 
and dataset. (For pilots, you 
might want to back up actual 
production systems.) This might 
seem costly, but it provides a 
quality check that ensures that 
your solution works without sur¬ 
prises. Your proof or pilot must 
include 


• a charter that defines the scope of the project (e.g., tech¬ 
nology tests, process development, performance tests) 

• a staffing plan that specifies operational staff, farm or 
application owners, and vender technical staff 

• a test plan that specifies what is being tested (e.g., farm 
recovery, servers, data—see Table 4) 

• a physical environment plan that specifies the technol¬ 
ogy that the solution requires 

The proof or pilot must also document these outcomes: 

• the step-by-step backup and recovery process 

• any prerequisites 

• backup and restore performance 

• any data loss 

• a test plan report for each test 

• a plan for deploying the solution into production 

• a completed impact and risk assessment 

Owner Sign-Off 

When you're ready to go live with the production version 
of your solution, it’s good practice to have a process for 
onboarding each farm and application. This involves qual¬ 
ity checks to verify that backups complete without errors, 
restores complete without errors, and backup and recovery 
times and restore points meet SLAs. Upon recovery of each 
farm or application, the owner reviews the farm, based on 


SharePoint Test Plan 

Date 

MM/DD/YYYY 

Test plan version 

Version number 

Name of test operator 

Printed first and last 

Signature of test operator 

Signature 

Name of stakeholder 

Printed first and 
last name 

Signature of stakeholder 

Signature 

Test Cases 

Test 

Expected Outcome 

Actual Outcomes 

Pass/Fail 

Farm recovery 

Ability to recover 
farm end to end 

• Level of recoverability 

• Identified gaps in recovery 
tools and process 

• Time required 

Pass or Fail 

Servers 

Ability to recover each 
server individually 
(e.g., WFE fails) 

• Level of recoverability 

• Identified gaps in recovery 
tools and process 

• Time required 

Pass or Fail 

Site collections/ 
applications 

Ability to recover 
a site collection 
and associated 
applications 

• Level of recoverability 

• Identified gaps in recovery 
tools and process 

• Time required 

Pass or Fail 

Sites/settings 

Recover a site and its 
associated settings 

• Level of recoverability 

• Identified gaps in recovery 
tools and process 

• Time required 

Pass or Fail 

Web Parts/settings 

Ability to recover a 

Web Part and its 
associated settings 

• Level of recoverability 

• Identified gaps in recovery 
tools and process 

• Time required 

Pass or Fail 

Data 

Ability to recover data 
(e.g., documents, 
pictures, other list 
items) 

• Level of recoverability 

• Identified gaps in recovery 
tools and process 

• Time required 

Pass or Fail 


Table 4: SharePoint Test Plan Scenarios 
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Feature 


Backup and Recovery 


the test plan, completing a series of tests 
to verify that data was restored correctly. 
Your tests should also check the logs and 
verify that the expected quantity of sites 
and data volumes was restored. The 
more quality checks you have, the better. 
Each owner signs off by using a paper or 
electronic form. 


Job 

Start 

Completion 

Duration 

Workload 

Incremental 

Sunday-Friday 10:00 P.M. 

M-F 12:00 A.M. 

2 hours 

Medium 

Full backup 

Saturday 10:00 P.M. 

Sunday 4:00 A.M. 

6 hours 

High 

Virus scans 

Daily 4:00 A.M. 

Daily 5:00 A.M. 

1 hour 

Medium 

SQL Server 
maintenance 

Sunday 6:00 A.M. 

Sunday 10:00 A.M. 

4 hours 

High 


Table 5: Sample Schedule for Planning Backup Jobs 


Component 
to Restore 

Description 

Notes 

List item 

• Check recycle for previous version 

• Check version history for previous version 

• Use toolset to recover a list item 

Some tools can restore at the 
list library level only. 

List or library 

Use toolset to recover a list item 

SharePoint 2010 SP1 provides 
recovery functionality. 

Site 

Use toolset to recover a site 

SharePoint 2010 SP1 provides 
recovery functionality. 

Site collection 

Use toolset to recover a site collection 


Application 

Use toolset to recover an application 


Server 

• Load Windows Server and all service packs 

• Join domain 

• Install SharePoint 

• Install service packs 

• Install customizations 

• Configure SharePoint 

Depending on the server, you 
might restore data. 

Farm 

• Load Windows Server and all service packs 

• Join domain 

• Install SharePoint 

• Install service packs 

• Install customizations 

• Configure SharePoint 

• Use toolset to recover data 

Consider slipstreaming as 
much as possible. 


Table 6: General Steps for Recovery 


and restore processes depend on the toolset used. Table 6 
shows just general steps for recovery. 


Backup Schedule 

When planning your backup schedule 
(see Table 5 for an example), make sure 
that you can recover successfully and 
that the servers aren't saturated as a 
result of running multiple jobs. Consider 
the following: 

• Should you run full backups monthly 
or weekly? Depending on your SLAs, 
weekly is probably best. 

• When should you run incremental 
backups? Daily is the norm. 

• What is the duration of your backup 
jobs? You must plan backup windows 
to avoid overlap with other jobs (e.g., 
virus scans), which could degrade 
performance or even cause outages. 

The best approach is to list all jobs that 
will run, document their duration and the 
load they place on servers, and map out a 
visual schedule. With this, you can moni¬ 
tor the jobs for successful completion, 
increases in duration, and exceptions. 

Governance 

Backup and recovery needs tools, process, policy, and staff¬ 
ing to function properly. Non-IT staff tend to oversimplify 
technical aspects, while IT staff tend to complicate them. 
Governance creates a forum, letting the organization work 
through requirements and issues toward consensus. A gov¬ 
ernance plan should designate an executive decision maker; 
stakeholders from business and IT groups; tools for tracking 
issues, discussion topics, and decisions; a decision frame¬ 
work, and a communications plan. 

Backup and Restore Processes 

After preparation come processes. For backup, consider 
everything that you need to restore SharePoint. For recov¬ 
ery, consider what you need to recover SharePoint and the 
data it contains. Are you responsible for Windows Server 
recovery or is another party? Often SharePoint backup 
and recovery toolsets require servers to be loaded with 
Windows Server and joined to the domain. If you rely on 
another party, work with them to obtain specifics regarding 
SLAs and other details. Since the actual step-by-step backup 


To safeguard against loss from a catastrophic event, keep 
duplicate copies of backups in a separate location from the 
servers. Also, set a retrieval process in place, communicate 
it through training, and test it. As a best practice, keep three 
copies of the backup media, and keep at least one copy off 
site in a controlled environment. 

Keys to Success 

The key is to match business needs and expectations with 
your financial budget. In addition, review the solution SLAs 
with key stakeholders on a regular basis, since needs are 
always in flux. HI 

InstantDoc ID 140201 


Ron Charity is the SharePoint product manager with a major 
consulting firm. He has 20 + years in infrastructure and application 
consulting for Fortune 500 firms and SharePoint technologies 
experience dating back to 2000. He is responsible for a large global 
SharePoint environment with farms that service 140 countries. 
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Feature 

I SharePoint Document 
Management Solutions 

Enhancing the order-out-of-chaos features of SharePoint 2010 



By Caroline Marwitz 


B ack when SharePoint 2010 was just a smile on a 

Microsoft SharePoint product manager’s face, we ran 
a buyer’s guide on SharePoint document management 
(see “Buyer’s Guide: SharePoint Document Management 
Tools,” www.windowsitpro.com, InstantDoc ID 102661). 

Since then, SharePoint 2010 was released, with improved 
document management features such as the document set, 
which helps users to group related documents and work- 
flows, and metadata management that helps to bring order to 
the chaos of document proliferation. So you might be won¬ 
dering, “Why do I need a document management solution 
now that I have SharePoint 2010?” Well, SharePoint 2010 isn’t 
designed to support all document management scenarios. 
However, with the help of third-party SharePoint document 
management solutions, you can make SharePoint work best 
to suit your organization’s needs. 

The Association for Information and Image Management 
(AIIM) defines document management as “the use of a 
computer system and software to store, manage, and track 
electronic documents and electronic images of paper-based 
information.” As you research document management 
solutions, you’ll see terms such as “records management” 
and “Enterprise Content Management (ECM),” too. We’re 
focusing more narrowly on document management and 
keeping the industry focus broad, as opposed to narrowing 
it to verticals such as the pharmaceutical industry or legal 
services. 

Logically, when you’re looking at what you want a docu¬ 
ment management system to do, you want it to help make 
your users’ jobs easier as far as working with documents 
and storing them, and you want it to make your job easier 
with the ability to secure and audit document access for 
compliance. Some kind of version control, document lock¬ 
ing, or document check-in/check-out is useful so users 
don’t save over each others’ work accidentally and so 
changes are noted. Additionally, being able to annotate 
documents and stamp them is useful for archiving and 
e-discovery. And being able to roll back to a previous docu¬ 
ment version is also helpful. 


You might want a solution that lets you specify a storage 
location based on project, time period, or user access. And 
security is important, at least to limit document view¬ 
ing via access control. Some solutions also offer support 
for compliance within specific industry and government 
regulations. 

If you have a lot of paper documents to scan in, or other 
information to capture, you might want to look at solutions 
that offer capture and scanning of documents, especially 
those that let you control the scanning process from begin¬ 
ning to end and offer the ability to check image quality. It’s 
also helpful if fields in the scanning solution can map to 
SharePoint columns and to libraries for honing in on docu¬ 
ment locations. 

Being able to find documents is absolutely important. The 
ability to search indexed content is crucial, whether your 
documents are indexed through simple unique document 
identifiers or more precisely located via document meta¬ 
data. And depending on how your organization processes 
its documents, you might want a system with workflows 
built in, so managing documents is integrated logically into 
a user’s job duties. 

The buyers guide table shows some SharePoint document 
management solutions we’re aware of, though there are 
many others that are also industry specific. And of course, 
there are some mighty big vendors just dying to whisk you 
away from SharePoint and into their document ecosystem. 

The vendors we list aim to help you make SharePoint work 
better as a document management system. It’s not neces¬ 
sarily a comprehensive list, but we hope it provides a good 
starting point for your research. SS 

InstantDoc ID 139522 


Caroline Marwitz (sharepointeditor@penton.com) is editor of 
SharePoint Pro magazine and manages sharepointpromag.com. 
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Buyer's Guide 


Company 

Product 

Pricing 

SharePoint 

Version 

Search 

Capabilities 

Metadata 

Search 

Taxonomy/ 

Tagging 

Indexing 

Access 

Control Features 

Alcero 

514-880-7704 

www.alcero.com 

Alexya 

Between 
$5,000 to 
$25,000 

SharePoint 
2010, 2007 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Cadac Organic 

+31-45-400-1010 

www.organice 

.com 

Cadac 

Organice 

Product 

Suite 

Contact 

vendor 

SharePoint 

2010 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Colligo Networks 

604-685-7962 

www.colligo.com 

Colligo 

Contributor 

$75 to $189, 
volume 
discounts 
available 

SharePoint 

2010 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Dark Blue Duck 

425-296-7670 

www.darkblueduck 

.com 

Scanning 
Enabler v4.x 

$450 for 
five users 

SharePoint 
2010,2007 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Executive 

Technologies 

205-985-7686 

www.searchexpress 

.com 

Search- 

Express/ 

SharePoint 

Document 

Manage¬ 

ment 

$5,000 

SharePoint 
2010, 2007 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

FileHold Systems 

877-833-1202 

www.filehold 

.com 

Document 

Manage¬ 

ment 

Software 

$3,750 for 

five-user 

system 

SharePoint 
2010, 2007 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Kaldeera 

678-608-1383 

www.kalderra 

.com 

Kaldeera 

ScanIN 

$600 

SharePoint 
2010,2007 

Yes 

Yes 

Yes/No 

No 

Yes 

Kofax 

949-783-1000 

www.kofax.com 

Kofax 
Enterprise 
Capture for 
SharePoint 

Contact 

vendor 

SharePoint 
2010, 2007 

No 

No 

No/No 

Yes 

Yes 

MacroView 

866-589-4939 

www.macroviewusa 

.com 

MacroView 

DMF 

$77 per seat 

SharePoint 
2010,2007 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

OpenText 

800-499-6544 

www.opentext.com 

OpenText 
Application 
Governance 
& Archiving 
for Microsoft 
SharePoint 

Contact 

vendor 

SharePoint 

2010 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

PSIGEN Software 

949-916-7700 

www.psigen.com 

PSkCapture 

$995 to 
$17,000 
depending 
on modules 
and vol¬ 
umes 

SharePoint 

2010 

Yes 

Yes 

Yes/Yes 

Yes 

Yes 

Vizit 

855-849-4887 

www.vizit.com 

Vizit 

Starts at 
$999 

SharePoint 
2010,2007 

Yes 

Yes 

No/No 

Yes 

Yes 


Editor's Note: Some vendors you might expect to see in this Buyer’s Guide said they didn’t have a product that exactly matched the 
criteria or didn’t respond to our requests for information about their products. 
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Audit 

Trail 

Capabilities 

Editing/ 

Annotation 

Capabilities 

Version 

Controls 

Check-in, 

Check-out 

Document 

Locking 

Roll Back 
Capabilities 

File Export 
Types 

Scan 

Capabilities 

Integrated 

Workflows 

Ability to 
Specify 
Storage 
Location 

Document 

Lifecycle 

Control 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

PDF 

No 

Yes 

Yes 

Yes 


Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

PDF, XLS, 

DOC, 

AutoCAD, 

ZIP 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Not 

available 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

PDF, 

PDF/A, TIF, 
JPG, BMP 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

No 

No 

No 

No 

DOC, XLS, 
PPT 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

PDF 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

No 

Yes 

PDF, JPG, 
TIFF 

Yes 

Yes 

No 

Yes 

Yes 

No 

Yes 

No 

Yes 

No 

TIFF, PDF 

Yes 

Yes 

No 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

DOC, XLS, 
PPT, PDF, 

RTF, TXT 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

PDF, XPS, 

other 

formats 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

PDF, TIFF, 
PNG, JPG, 
BMP 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

Over 400 

document 

formats 

Yes 

Yes 

No 

No 
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SQL Server 2008 R2 Highlights 
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• ACCESS TO EXPERTS: Solve your toughest IT headaches with 
in-depth columns by Kalen Delany, Itzik Ben-Gan,and Brian Moran, 

• UP-TO-THE-MINUTE: Comprehensive coverage of T-SQL, Reporting 
Services, log files, business intelligence, SharePoint, and much more. 

• COMMUNITY-WIDE RESOURCES: Access to blogs, forums, 
Web updates, events and news alerts on the absolute latest industry 
developments as they happen, 

• EXCLUSIVE ACCESS: Subscriber-only access to the entire 
SQL Server Magazine online article database. 

• RISK-FREE OFFER: If you’re not satisfied with SQL Server 
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refund for any un-mailed issues. 
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New&Enhanced Products 

Product news for SharePoint By Caroline Marwitz 

admins, devs, and end users 



Office 365 Compatibility 


S howing that companies in the SharePoint solution 
world are increasingly committing to SharePoint 
Online in spite of Microsoft’s lag in making the collabor¬ 
ative aspect of Office 365 truly enterprise-ready. Work- 
share recently announced Office 365 compatibility with 
its Workshare Point document management solution for 
SharePoint. 

Workshare Point 1.2, a solution that integrates SharePoint 
with Microsoft Office, will now enable users to connect to 
a SharePoint Online server hosted by Microsoft in its Office 
365 cloud solution. Workshare has also added the capability 


for smaller companies to manage content within Microsoft 
Office and the more basic SharePoint Foundation 2010 as 
well, providing an entry into online content management in 
an on-premises-like solution. 

The latest version will provide the ability to preview 
Outlook messages stored in SharePoint while the user is 
in Outlook, support for site collections, a new SharePoint 
email folder pane for improved filing and synchronization, 
and improved auto-profiling using document and email 
metadata. See the company’s website for more information: 
www.workshare.com. 


SharePoint Backup and Recovery 


R ecently, Syncsort reported that it had enhanced its backup 
solution for SharePoint. Now NetApp Syncsort Integrated 
Backup (NSB) includes “virtual node” technology to protect 
SharePoint by automatically discovering all the servers and 
server roles in a farm, and protecting them under a single 
check-box item. NSB restores all aspects of a SharePoint 
environment including individual objects or documents, a 
SharePoint site, a database, or an entire farm. It integrates with 


VMware environments, enabling conversion of a SharePoint 
backup, whether physical or virtual, to a virtual machine. 
NSB also protects physical servers, enabling a full system 
bare metal restore from a backup job, and it includes NetApp 
SnapMirror replication software to allow backups to be repli¬ 
cated to an alternate site for full, multi-site disaster recovery. 
It supports both SharePoint 2010 and SharePoint 2007. See 
Syncsort’s website: www.syncsort.com. 


Auditing SharePoint 

M onitoring SharePoint activity is crucial for meeting 
compliance and security requirements, and simply 
for keeping tabs on what’s going on with your SharePoint 
implementation. LOGbinder SP writes SharePoint audit 
events to the Windows event log. And LOGbinder SP SIEM 
edition adds alerting, reporting, and secure, long-term 
archiving of SharePoint audit logs. 

“We originally built LOGbinder SP Agent Edition 
with security teams in mind who already had a log 
management-SIEM solution in place and just needed to 
get access to SharePoint audit logs with all the cryptic 
codes translated and resolved,” says LOGbinder’s Randy 
Franklin Smith. “But we found that many SharePoint teams 
often don’t have a log management-SIEM solution already 
in place, yet they still need alerting, reporting, and log 
archiving. And that is what our SIEM edition provides.” To 
learn about SharePoint logging and LOGbinder’s solutions, 
see www.logbinder.com. SS 


Advertising Index 

Advertiser 

Page 

URL 

CompuSight 

Cover 3 

www.eSign365.com 

Critical Path Training 

4 

www.CriticalPathTraining.com 

Sharepoint Connections 
Fall 2011 

28,29 

www.devconnections.com 

fpweb.net 

8,9 

www.fpweb.net 

Idera 

2 

www.idera.com/SharePointDM 

SQL Server Magazine 

38 

www.sqlmag.com 

SurfRay Inc 

Cover 2 

www.su r fray.co m/fa st 

Windows IT Pro 

10,17 

www.windowsitpro.com 


SharePoint Pro | October 2011 39 









are 'oinl Q&A 



By 


Ethan , Bart 
Wilansky an McDonough 


Q: "Failure Loading Item Picker" 
shows in the ULS log. Help! 

A: While developing a Business Connectivity Services 
(BCS) .NET Connectivity Solution in Visual Studio 2010, 
you add a filter descriptor to your entity and deploy the 
solution, but displaying the item picker data fails. In the 
SharePoint Unified Logging Service (ULS) log, you see an 
error message that begins Failure loading item picker. 
System.Runtime. Serialization. SerializationException: 
Attempting to deserialize an empty stream. 

This is a classic example of the underlying out-of-the-box 
Business Data Connectivity (BDC) service code not catching 
this error condition early enough, and then sending you an 
ambiguous message. One possible reason for the error is 
that you didn’t add the filter descriptor to a Linder method 
(typically called ReadList) as an input parameter to the 
method in the associated service class. 

Solution: After adding the filter descriptor name as an 
input parameter to the Linder method, be sure to delete the 
associated external content type from Central Administration 
before redeploying the model. Also, verify that the method 
has a Where clause to accommodate the filter descriptor. Lor 
example, let’s say you have an Entity named Car with an 
associated service class named CarService. You have defined 
a filter descriptor named ColorLilterDescriptor so that users 
can filter cars by color. This filter descriptor is associated 
with the color type descriptor in the Car entity. The color 
type descriptor is defined as an In parameter in the model. 

In the ReadList method of the CarService class, you must 
add the Color In parameter of the Car entity as an input 
parameter of the Linder (ReadList) method. In addition, you 
must add a Where clause to your ReadList method that will 
filter the value a user passes in for the ColorLilterDescriptor. 

—Ethan Wilansky 
InstantDoc ID 136309 

Q: How do I change the icon on the 
sign-in page in SharePoint 2010? 

At You’ve turned on claims-based authentication for 
a web application in SharePoint 2010, and you’ve also 
enabled the Forms-based authentication option in the 
authentication settings for one or more zones. When you 
browse to the site, the sign-in page shows an error icon (red 
circle with a white X) on it, and you’d like to replace that 
icon. 


Which sign-in page you see depends upon how you’ve 
configured claims-based authentication. 

If you’ve enabled both Windows and forms-based 
authentication for a zone, you’ll see the sign-in page 
containing a drop-down list that lets you choose how 
you’d like to log in. This version of the page is located at 
\{SharePointRoot}\TEMPLATE\IDENTITYMODEL\LOGIN\ 
default, aspx. 

If you’ve only enabled forms-based authentication (and 
not Windows), you’ll see a sign-in page that contains the 
standard user name and password fields you’d expect to see. 
This version of the page is located at \{SharePointRoot}\ 
TEMPLATE\IDENTITYMODEL\LORMS\default.aspx. 

Solution: The master page used by the sign-in pages places 
the icon inside an ASP.NET content placeholder, making it 
easy to change. I recommend you create a Solution Package 
(WSP file) for final deployment, but so you can see what’s 
going on, here are the manual steps: 

1. Go to the location of your current sign-in page (one of 
the two locations I described above). 

2. Copy the “default.aspx” page to a new folder you’ve 
created (perhaps named after your company) under 
\ { SharePointRoot} \TEMPLATE\LAYOUTS. That way 
you’re not changing out-of-the-box files. 

3. Open the copied hie in a text editor and add the 
following ASP.NET content tag: 

<asp:Content ContentPIaceHolderld= 

"PlaceHolderlcon" runat="server"> 

<img src="/path/to/new/icon.gif" runat= 

"server" /> 

</asp:Content> 

4. Save the hie. 

5. Open Central Administration, and go to the Web 
Application Management page. 

6. Select your web application, and click Authentication 
Providers in the ribbon. 

7. In the pop-up dialog box, click the link for the zone 
where you want your new sign-in page. 

8. For the Sign-In Page URL setting, choose Custom 
Sign-In Page, and set the URL to ^ /_layouts/ 
YourFolder/default.aspx (or wherever you put your 
new page). 

Now your sign-in page should display your new icon. I 
hope it’s much more user-friendly than the big red X. 

—Bart McDonough 
InstantDoc ID 136377 
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Paper is still good for some things... 


eSignature Efficiency. Because the dotted line 
can affect your bottom line. 


eSign365 is the only electronic signature solution that is seamlessly integrated with Microsoft SharePoint 2010 
and SharePoint Online (Office 365), enabling users as well asthird party signers to approve and agree on legally 
enforceable documents. Extending SharePoint with electronic signature capabilities enables organizations to 
maximize their return on investment in automation while keeping business moving smoothly. Achieve straight 


through processing, eliminate the rekeying of data and automate business processes. Integrate eSignature 


with SharePoint workflows and enable electronic and reliable approvals. Send any SharePoint library docu¬ 
ment for eSignature request with a couple of clicks. With eSign365you will speed up document automation and 
workflow, reduce costs, and comply with regulation. 


• Achieve straight through document processing • Eliminate the rekeying of data 

• Shorten the sales cycle and accelerate the revenue • Reduce environmental footprint 

• Get real-time status on every transaction • Drive internal SharePoint usage 

• Reduce costs by going paperless • Streamline collaboration with clients 

• Ensure compliance requirements • Increase productivity and efficiency 



For a free trial or a live demo visit us at 
www.eSign365.com or call 800.800.7140 


Get the free mobile app at 
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